Access and security for settings.php

Hi,

I am new to elgg. I am in fact considering starting using it.

After the installation process, I see that the settings.php (which contains among other things the database password) is located inside the root folder (in the elgg-config sub folder of the root folder).

I know elgg is a well establish software and I hence believe it is me who does not understand something and not the project that is wrong. I am trying to understand if this is safe.

My understanding would be that such credential should be in a file located outside of the root folder. I would also think that proper permission on the settings.php could alternatively do the trick. I however see no instruction to set permission that would prevent read of this file from the outside world. 

What am I missing?

Thanks a lot!

  • Welcome to Elgg!

    You shouldn't set read/write permissions on the root installed folder for the server user (i.e. www-data, httpd etc) but only local users . 

    Usually we create another user without root permissions to change, read the root installed folder on his behalf.

    chown -R developer:developer /var/www/elgg/

    The exception is the data folder.

    I also recommend you set chmod 444 on the settings.php file after you've made all the changes you want:

    chmod 444 /var/www/elgg/elgg-config/settings.php
  • Thanks! This helps a lot!