[development] RFC: letting modules phone home to checkfor new releases

Steven Peck speck at blkmtn.org
Tue Nov 28 05:44:13 UTC 2006


-----Original Message-----
From: development-bounces at drupal.org on behalf of Darrel O'Pry
Sent: Mon 11/27/2006 6:48 AM
To: development at drupal.org
Subject: Re: [development] RFC: letting modules phone home to checkfor	new	releases
 
On Thu, 2006-11-23 at 03:11 +0100, Steven Wittens wrote:
> > Therefore, you either need to temporarily give apache write access  
> > to code
> > files (which you can't do from within a web app running in apache,  
> > obviously)
> > or run the upgrade as a user that already has write access to them.
> 
> Are we sure that you can't change the owner of the current process  
> through Apache? We can execute arbitrary shell commands, if needed.  
> The ideal solution could then be a script that can be invoked both  
> from the web and from the command-line.
> 
> Through the browser, it would ask for your local username/password,  
> and then perform the upgrade tasks (only from a very limited set of  
> commands, e.g. unpacking module files and copying them into the right  
> dir). From the command-line, it would just assume the current user is  
> the right one already.
> 
> Steven Wittens

A well written & setuid script would do the job.  You can call it
through system or exec I believe. There are many applications that use
this technique. The first that come to mind or qmail and majordomo.  I
believe windows even supports a run as user option for its files. 

Something to keep in mind about such a script is it should in no way
receive input from the browser. It should only be triggered, and should
still be paranoid about its config files... aka they're still owned by
the proper non-apache uid, don't contain any sort of exploit like
code...

At the end of the day I'm more concerned about other websites on shared
servers and partitioning risk between multiple sites on the same server.
As it is any code injection bugs in drupal could me a lost db, and the
real value of most websites is what's in the database.

.darrel.

and I'd be interested in seeing if it would work through IIS or Apache on Windows.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 4147 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20061127/85e8e291/attachment.bin 


More information about the development mailing list