Hi Bér, I don't know why we can find a positive issue to this point. :) We could have write permissions during the installation process and at the end of the process a instruction such as permission restrictions to read only on the module file. I hope we can find a positive issue to this. In fact, I find this is a great feature to be able to install contributed modules at the installation time. Even if this the module directory have write permissions, there is many other part such databases, cache directory that have write permissions. What can we do to avoid or "work around' such problem ? I find this is a great and wonderful feature in fact ! Can we find a other way such "unsafe module directory" system or other ways like this ? This is because I don't know this is impossible that we can reach it :) Jean-Marie On 3/27/07, Bèr Kessels <ber@webschuur.com> wrote:
Op dinsdag 27 maart 2007 10:02, schreef Jean-Marie Renouard:
The moduleFectcher is able to catch module from the official Drupal web site and install it into the directory tree.
There is several issues I know about security around such a process and I am agree from it.
The solution for the biggest secutity issue, in this system, is that you don't have to rnu it from the web.
The security issue is: If your web-application can write (to) itself, you have a severe security hole. Hence: If your website can install and run modules and code itself you have a problem.
sympal scripts is ran from the CLI.
And no! That does not mean "but but but Joe User Does Not Know the CLI".:) It is meant to be fired from scripts that are ran from secure applications (on the web). Such as webmin, plesk, or your dedicated System-Admin-Drupal-Installation, running off a separare webserver.
The way I use it, is trough a script that I run from my desktop. It allows me to install modules w/o spending any time on the servers CLI. We still have plans to merge this into webmin, but until now it generally works fine enough.
Bèr
-- Cordialement, Jean-Marie Renouard