On Jul 15, 2011, at 9:35 AM, Marc Delisle marc@infomarc.info wrote:
Hi,
we got a suggestion from a user about either restricting access to /setup or telling the installer to remove this directory after initial setup.
Let's discuss this...
If I remember correctly, the reason this wasn't done in the first place is that there's no vulnerability to leaving it exposed. The user moves the generated config.inc.php, and a malicious user can't write a new one that would be used. Additionally, users who wish to reconfigure later might want to run the setup; if it's removed they'll have to (presumably) reinstall the entire program.
If there were a good reason to remove it, then I'd certainly support the idea, but I don't see a compelling reason at the moment.
[snip]