To prevent the file with usernames and hashed passwords to be viewed by everyone, and also the log files,
you should add a .htaccess file to the/admin folder.
this .htaccess file should have the following content:
<Files *.txt> order allow,deny deny from all </Files>
Access rights of public available files should be as restrictiv as possible. This means, if possible, set the access rights to radable and writable by the UID (user) the webserver is running as. No other user needs access to this files (especialy the ones with usernames and passwords, also the PWs are hashed). On my system this looks like this:
-rw------- 1 www wwwrun 2482 2006-06-02 08:39 admin_config.phpread and write is possible for the user www (apache is running as www in the group wwwrun), there are no access rights for other users in the same group and anyone else. If you add your files by ftp, the files often "belong" to the webserver-user but this is not alway true, so its better to control it.
![[english]](images/english.gif "switch to English language version"){kind=small}
![[deutsch]](images/deutsch.gif "auf deutsche Sprachversion umschalten"){kind=small}
