config.php in root hacker safe with permission set to 644?

Question

Hello.

I it safe to place config.php in the root of your website even though it has premissions set to 644?

Answer 1

As long as no-one has an SSH or FTP access to your server, and that there is no bug / security hole in your website that would allow anyone to access the sources of the PHP files, this should be quite OK.

Note that your Apache user has to access that file (so it can be included from other PHP scripts) ; so, wherever you put it, if you have a security hole that allows PHP files to be read by users, it won't change a thing.

An idea might be to put that file outside of the document root, or inside a directory protected by an .htaccess file denying access from anyone -- at least, this way, if your server is not well-configured and displays source-code of PHP files, the content of that file would not be displayed (as it could not be access/served directly via HTTP).

This will not help in the case of a security hole that allows PHP file to display the content of other PHP files (I've seen that happen), but that would still be a first step.

Answer 2

your config.php should be readable by your web serevr, and no fiddling with permissions will change that. also, putting it anywhere else will not help much - because since your php code should be able to read it, any hacker that manage to run his code on your server will be able to read it.

so, no matter where you put it, it's in danger of being accessed by a hacker that managed to hack your server. putting it in the web root is not more or less secure than putting it anywhere else.