CodeRunner Documentation (V2.4.2)

2.5 Checking security

Until recently the default Moodle install had all files in the tree world-readable. This is BAD, especially if you're running code in the Runguard sandbox, because the all-important config.php, which contains the database password, can be read by student code. So it's most important that you at very least ensure that that particular file is not world-readable.

A better fix is to set the group of the entire Moodle subtree to apache (or www-data depending on what user the web server runs as) and then make it all not world readable. However, if you do that after installing CodeRunner you'll break the set-uid-root program that's used to start the Runguard sandbox. So you then need to re-run the runguard installer to fix it.