CodeRunner Documentation (V2.4.2)
2.5 Checking security
Until recently the default Moodle install had all files in the
config.php, which contains the database password,
can be read by student code. So it's most important that you at very least
ensure that that particular file is not world-readable.
A better fix is to set the group of the entire Moodle subtree to apache (or www-data depending on what user the web server runs as) and then make it all not world readable. However, if you do that after installing CodeRunner you'll break the set-uid-root program that's used to start the Runguard sandbox. So you then need to re-run the runguard installer to fix it.