write perms to modules directory from drupal as web server user is really hard for me to swallow.... any package managers like script should be run from the command line as a privileged user. should do it's set job and be bullet proof. On Wed, 2006-11-22 at 11:21 +0100, Oswald Jaskolla wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Wow,
Oswald Jaskolla wrote:
I am currently working on a system to automatically install modules.
looks like I really hit a nerve there. So let me clarify a few things:
- - Downloading and installing is only done on explicit request of the administrator. I am not Microsoft. - - Downloaded files are not less safe because they are downloaded via PHP. There is currently no checksumming available and apart from developers nobody looks into the code to see if it was tampered with. - - There are a lot of drupal installations for development and testing, that do not have the same security needs as production sites have. - - Typo3 does it.
The only security issue remaining is having write access to the modules directory. If the actual downloading and unpacking is done via a one time cron job, this cron job could temporarily alter the access mode of the target directory, minimizing the time that the directory is writable.
Greetings, - -- Oswald Jaskolla Ingenieurbüro Richard Schieferdecker Kreuzherrenstraße 2 52062 Aachen
Tel.: 02 41 / 409 54 43 Fax: 02 41 / 477 05 199 mobil: 01 64 / 941 06 75 eMail: oswald.jaskolla@schieferdecker.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFZCSquinSHQ/4/T4RAsUmAJ4sTVuIs5eKpQgOCn9sZ6QvOub7YwCeN39w pnLSOei74O+fQkwTaHF1sho= =aIUQ -----END PGP SIGNATURE-----