[support] Locking down drupal for use by multiple (semi-)untrusted administrators
Saint-Genest Gwenael
gwenael.saint-genest at makina-corpus.com
Wed Nov 21 11:41:26 UTC 2007
Hugo Mills wrote:
(snip)
> 1) Themes.
>
> From my limited investigation so far, it seems that Drupal themes
> are basically PHP. Allowing users to upload themes directly is
> therefore a no-no. Is there a non-executable type of theme that we can
> support direct uploads for safely, or will all uploaded themes have to
> be audited before we allow them up? How flexible would the system be
> if we were to prevent theme uploads completely?
I think, for the moment, all drupal themes must contain PHP code.
Maybe you can pre-install some popular theme and suggest user to request
other themes by mail to admin ? Maybe you can use some themes from
themegarden ?
For more flexibility to can allow users to upload personal images
for theme.
> 4) What else have I forgotten or overlooked?
>
> The chances of having a malicious user are probably fairly small in
> this set-up, but I'd like to keep it as "clean" as possible, so
> pointing out any other glaring holes that would allow a site
> administrator to execute arbitrary code on the server would be useful.
I've never use multisite-mode but i'm interested by your experience
return.
Gwen
--
Saint-Genest Gwenael <gwenael.saint-genest at makina-corpus.com>
Makina Corpus - http://www.makina-corpus.com/
More information about the support
mailing list