> > Wouldn't it be possible to make this a httpd.conf configuration > > option? > > No. It will rise a security issue. In 1.4 these defaults will be > changable via configure option for midgard-lib, but integration with > Apache's httpd.conf will create a security hole, especialy valuable > for ISP. Imagine that you have Midgard hosting somewhere with > configurable MySQL server location option like you're requested. Then > those who sneaked your account simply replace config - and your site > will be rewritten immediately by different (remote) database without > additional problems. This assumes a few things: Situation 1: ISP manages httpd.conf, or Situation 2: Client has own httpd.conf Situation 1: The file should be editable/readable only by root. If the file is writeable by anyone else, you've got problems anyhow. If the file is readable by non-roots, the Midgard DB password is there in plaintext, so an intruder can just log into the mysql database directly and trash your site, no matter where the database is located. If someone cracks root on the machine I don't think you need to worry about them changing the httpd.conf :/ Situation 2: If someone cracks your account and can change your own httpd.conf, setting MidgardEngine off, changing the documentroot, possibly using mod_rewrite, your site is 'changed' in an instant too. And your DB password is in plain view, so once again, the cracker can easily trash your content. So I think making the database non-configurable buys you very little security. Emile -- This is The Midgard Project's mailing list. For more information, please visit the project's web site at http://www.midgard-project.org To unsubscribe the list, send an empty email message to address [EMAIL PROTECTED]
