Seems we've been hashing this one around for a while and it only leads to a stalemate. I was thinking about this and wondering about potential radically different approaches. What if we were to model the software update process based on what many OS's do. * the module downloads updates into a staging directory (perhaps still in tgz format). .info files could be used as module signatures to go with the tarballs so that the directory that this stuff gets downloaded into doesn't have to be able to execute code. You could cron_hook this so that updates would be already downloaded when you installed it. * the normal drupal UI is modified to look for .info files and corresponding tar files and ask the users if they want to install. * when the user approves the updates, a privileged cron script performs the updates at the next scheduled time. This script could also be run manually, but the idea would be that if you ever invoked it via drupal, you'd have to specify credentials. This is of course a very rough idea, but I'm hoping it might get some creative juices flowing on a way to solve the problem that doesn't make us uncomfortable about the security ramifications. On Mar 27, 2007, at 5:55 AM, Jean-Marie Renouard wrote:
Hi Bér,
I don't know why we can find a positive issue to this point. :)
We could have write permissions during the installation process and at the end of the process a instruction such as permission restrictions to read only on the module file.
I hope we can find a positive issue to this. In fact, I find this is a great feature to be able to install contributed modules at the installation time.
Even if this the module directory have write permissions, there is many other part such databases, cache directory that have write permissions.
What can we do to avoid or "work around' such problem ?
I find this is a great and wonderful feature in fact ! Can we find a other way such "unsafe module directory" system or other ways like this ?
This is because I don't know this is impossible that we can reach it :)
Jean-Marie
On 3/27/07, Bèr Kessels <ber@webschuur.com> wrote:
Op dinsdag 27 maart 2007 10:02, schreef Jean-Marie Renouard:
The moduleFectcher is able to catch module from the official Drupal web site and install it into the directory tree.
There is several issues I know about security around such a process and I am agree from it.
The solution for the biggest secutity issue, in this system, is that you don't have to rnu it from the web.
The security issue is: If your web-application can write (to) itself, you have a severe security hole. Hence: If your website can install and run modules and code itself you have a problem.
sympal scripts is ran from the CLI.
And no! That does not mean "but but but Joe User Does Not Know the CLI".:) It is meant to be fired from scripts that are ran from secure applications (on the web). Such as webmin, plesk, or your dedicated System-Admin-Drupal-Installation, running off a separare webserver.
The way I use it, is trough a script that I run from my desktop. It allows me to install modules w/o spending any time on the servers CLI. We still have plans to merge this into webmin, but until now it generally works fine enough.
Bèr
-- Cordialement, Jean-Marie Renouard