Hi,
I am new to elgg. I am in fact considering starting using it.
After the installation process, I see that the settings.php (which contains among other things the database password) is located inside the root folder (in the elgg-config sub folder of the root folder).
I know elgg is a well establish software and I hence believe it is me who does not understand something and not the project that is wrong. I am trying to understand if this is safe.
My understanding would be that such credential should be in a file located outside of the root folder. I would also think that proper permission on the settings.php could alternatively do the trick. I however see no instruction to set permission that would prevent read of this file from the outside world.
What am I missing?
Thanks a lot!
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Nikolai Shcherbin@rivervanrain

Nikolai Shcherbin - 0 likes
- Lirage@Lirage

Lirage - 0 likes
You must log in to post replies.Welcome to Elgg!
You shouldn't set read/write permissions on the root installed folder for the server user (i.e. www-data, httpd etc) but only local users .
Usually we create another user without root permissions to change, read the root installed folder on his behalf.
The exception is the data folder.
I also recommend you set chmod 444 on the settings.php file after you've made all the changes you want:
Thanks! This helps a lot!