[support] Locking down drupal for use by multiple (semi-)untrusted administrators

Hugo Mills hugo-dru at carfax.org.uk
Wed Nov 21 11:52:56 UTC 2007 

   Thanks for your reply.

On Wed, Nov 21, 2007 at 12:41:26PM +0100, Saint-Genest Gwenael wrote:
> Hugo Mills wrote:
> (snip)
> > 1) Themes.
> > 
> >    From my limited investigation so far, it seems that Drupal themes
> > are basically PHP. Allowing users to upload themes directly is
> > therefore a no-no. Is there a non-executable type of theme that we can
> > support direct uploads for safely, or will all uploaded themes have to
> > be audited before we allow them up? How flexible would the system be
> > if we were to prevent theme uploads completely?
> 
>     I think, for the moment, all drupal themes must contain PHP code.

   Unfortunate, but not unexpected.

> Maybe you can pre-install some popular theme and suggest user to request
> other themes by mail to admin ? Maybe you can use some themes from
> themegarden ?

   Yes, we'll probably pre-install a bunch of themes for people to use
anyway (and install others on request). I can forsee some people
having issues with not being able to upload their own themes, but we
have a less-secure provisioning for that.

>     For more flexibility to can allow users to upload personal images
> for theme.

   OK, I'll have a play with that.

> > 4) What else have I forgotten or overlooked?
> > 
> >    The chances of having a malicious user are probably fairly small in
> > this set-up, but I'd like to keep it as "clean" as possible, so
> > pointing out any other glaring holes that would allow a site
> > administrator to execute arbitrary code on the server would be useful.
> 
>     I've never use multisite-mode but i'm interested by your experience
> return.

   If I ever get this system up and running sensibly, I'll try to
write up what we had to do to get it to work, and circulate it to the
relevant communities.

   Hugo.

-- 
=== Hugo Mills: hugo at ... carfax.org.uk | darksatanic.net | lug.org.uk ===
  PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
       --- "You got very nice eyes, Deedee. Never noticed them ---       
                           before. They real?"                           
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.drupal.org/pipermail/support/attachments/20071121/b3cf38e3/attachment.pgp

More information about the support mailing list