Accessibility of the config.ini File

Likewise the data directories /tmp and /global the configuration file „config.ini“ are normally also accessible via the /global/config directory (depending on the web server configuration).

Since the access data for the Portalsuite data base are written into this file, someone in possession of this data could possibly cause considerable damage. Usually the IP address should additionally be included in the authentication process, so that the access data of the configuration file alone do not enable access.

Solution: The config.ini cannot be switched, because the Portalsuite 2002 searches for them exclusively in this directory. Therefore the file is not accessible per web, the web server has to be reconfigured. The idea here is to redirect the access onto another file or into a dead end when the file is requested. Since the Portalsuite 2002 tries to open the file on file level, this can be done without any trouble.

In the popular Apache server you can thereto simply add the following line in the section of the virtual host into the configuration file (insofar as you use virtual hosts):

Redirect /global/config/config.ini http://www.mydomain.de

This line redirects every access onto the „config.ini“ file to an arbitrary URL / domain. Again: Since the Portalsuite handles the access via the local file system and not via the web server, this solution represents no conflict but an effective prevention.
But you should make sure that your editor does not make an archival backup copy of this file after you edited the file (which then again would be accessible). Either you apply a second redirection or you delete possible backup copies manually or avoid their creation.