carrvo
commented
3 days ago Just checking this from my phone, so haven't looked terribly close, but is this giving write access to Apache? Apache should never be able to write your config file. So I would reject this. Perhaps it would be acceptable if there were a very clear warning about removing write access after the config is created since it would be a security concern
That is a very good point for security. However, if you wanted a password reset application (common enough), then that would need write access to clear the contents.
My main reason for mentioning this is that the current documentation made it sound like the config file is supposed to be automatically generated (setup step 2) and it took me almost an hour to figure out that it was printing the content to the webpage instead. So some update to the documentation would be nice: whether noting it in step 2 or changing the wording for my proposal.
I should note that I used Alias instead of putting the files under the DocumentRoot, which the steps recommend, so it may normatively have the permissions through that mechanism.
Just checking this from my phone, so haven't looked terribly close, but is this giving write access to Apache? Apache should never be able to write your config file. So I would reject this. Perhaps it would be acceptable if there were a very clear warning about removing write access after the config is created since it would be a security concern