On 22/11/06, Derek Wright <drupal@dwwright.net> wrote:
your Drupal source files *DO NOT* have to be writable by the webserver process uid for "the files to be usable by Drupal" (!!!). the "files" directory is a special case, which is why a) it's been a source of numerous security issues and b) it should be handled with intensely defensive programming by anything that's touching it.
Yep, a very important aspect of web application security is to protect the web application from itself. The web server can't tell the difference between a legitimate request to overwrite application files and one that has manipulated the application into doing so. Trust nothing (or more practically trust as little as possible). Ideally the web server and the web application shouldn't trust each other. Changes to the application should be done "out of band" ie not through the same medium the rest of the internet accesses the application. Of course, on a shared host there will be compromises that need to be made. For instance phpsuexec effectively violates the "out of band" idea by running the site as the "out of band" admin user, but it adds protection against other sites on a shared host which is arguably more important. When not on a shared host it would be better not to use phpsuexec so running the app and changing the app are separated from each other. Hopefully that wasn't offtopic. Apologies for rehashing something most of you are already fully aware of, I just wanted to reiterate what Derek was saying in a slightly different way to make sure any less experienced developers understood his point. -- Cheers Anton