If you run WordPress, take care on this issue:
How to access the database is stored in module wp-config.php, in your blogs root directory. This file needs to be readable by the PHP engine, based on the UIC. ACL’s are not enough, the current PHP implementation on VMS doesn’t take these in account.
Not that it would help much, since the PHP engine will run under the webserver’s account (or one closely related, depending on the server). in other words: the webserver will ba able to read the file.
So will any user, if he gains access to the file!
In itself, it doesn’t have to be a problem, but if for some reason, the used has access to the directory itself, your database is wide open.
To prevent this to happen, move database access data: the databnase name, username, password and host at least, eventually the suffix, from wp-config.php and store it in a separate file, that is then included in wp-config.php. Store the file in a location that is NOT accessable over the web.
An example: this is the original wp-config.php:
< ?php
// ** MySQL settings ** //
define('DB_NAME', 'WPDB'); // The name of the database
define('DB_USER', 'MyBlogMgr'); // Your MySQL username
define('DB_PASSWORD', 'MyDBPassword'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this
// You can have multiple installations in one database if you give each a uniqu
$table_prefix = 'prfx_'; // Only numbers, letters, and underscores please!
// Change this to localize WordPress. A corresponding MO file for the
// chosen language must be installed to wp-includes/languages.
// For example, install de.mo to wp-includes/languages and set WPLANG to 'de'
// to enable German language support.
define ('WPLANG', '');
/* That's all, stop editing! Happy blogging. */
define('ABSPATH', dirname(__FILE__).'/');
require_once(ABSPATH.'wp-settings.php');
?>
This is the new one:
< ?php
require_once('/closet/dbaccess.php');
// Change this to localize WordPress. A corresponding MO file for the
// chosen language must be installed to wp-includes/languages.
// For example, install de.mo to wp-includes/languages and set WPLANG to 'de'
// to enable German language support.
define ('WPLANG', '');
/* That's all, stop editing! Happy blogging. */
define('ABSPATH', dirname(__FILE__).'/');
require_once(ABSPATH.'wp-settings.php');
?>
The included file “closet:dbaccess.php” contains the sensitive data:
< ?php
// ** MySQL settings ** //
define('DB_NAME', 'WPDB'); // The name of the database
define('DB_USER', 'MyBlogMgr'); // Your MySQL username
define('DB_PASSWORD', 'MyDBPassword'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this
// You can have multiple installations in one database if you give each a uniqu
$table_prefix = 'prfx_'; // Only numbers, letters, and underscores please!
?>
Closet is a logical, referring to some location on the system that is inaccesable from the webserver (there is no mapping so the server will not be able to connect to it):
$ DEFINE/SYSTEM CLOSET SECDISK:[SECURED]
and have the directory W:E protection, and all files W:R.
Now the blog is normally accessable, and the sensitive data is hidden for the world.