Topic: Securing PunBB
I am installing PunBB and I like it to be as secure as possible. I've done some security configuration on apache following some howtos and now I am mostly concerned securing PunBB itself. I am web-server newbie but has used Linux for a long time.
* When it comes to the database, is it possible to avoid using root as the user? Would it make any difference? If so, what are the minimum privilegies required by the database user with regards to PunBB?
* What file permissions should I use for the PunBB files?
I got the warning that cache should be writable (chmod 777), but would it be more secure if the files all belong to www-user and are only user writable?
Can I make the extension folder read-only after I'm done installing extensions?
* Are there any more directories that need to be writeable?
* Is there any gain in creating another user in the same group as www-user and let him be the owner of the files so that www-user has no chance of changing permissions on files?
* Are there any other step I could take to make PunBB more secure?
Regards
A paranoid newbie admin