Having this strtucture in a PHP proyect:
htdocs/
project_name/
conf/
db_info.xml
html/
index.php
index.php is reading db_info.xml
The owner and group of this project is and user created for it.
DOCUMENT_ROOT is htdocs/project_name/html/
Is insecure to set 644 the file with the DB info and credentials (db_info.xml)?
Read permision for all could be a security issue or let folder named 'conf' out of the DOCUMENT_ROOT shouldn't be a problem?
It depends on your web server configuration - if you don't allow the web server to read and serve the conf directory publicly - should not be a problem. But generaly you should consider moving the configs out of a public folder.
I personally think that you don't need to give a read permission to all user, so don't give them.
Read permision for all could be a security issue or let folder named 'conf' out of the DOCUMENT_ROOT shouldn't be a problem?
This is a must, if not anyone can read your databse if the file has got a 644 permission.
Using a .xml as a "database" it's not the best security solution anyway, use this solution only if you can't do anything else. Remember to use a strong hashing algorithm (bcrypt or argon2) with a salt