I know that this is a sensitive issue, and I'm certainly interested in security so, I though that I'd point out that there is already some drupal functionality, if memory serves, for creating the settings.php file from the web interface at install time, which would seem to require that you make your sites directory writeable by the www user. Because in the end its all code that gets executed within drupal, I think there's not much difference between being able to write to settings.php and being able to write to the modules directory (IMHO). So from a security perspective, it seems to me we've already crossed this bridge. I could put just as damaging code in the settings.php file as I could in any module directory the way drupal is architected. I agree that command line tools would be a really nice feature, but I thought that the discussion of being creeped out regarding the modules directory was promoting a false sense of security. Dave -----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of Darrel O'Pry Sent: Wednesday, November 22, 2006 2:05 PM To: development@drupal.org Subject: Re: [development] RFC: letting modules phone home to check fornew releases write perms to modules directory from drupal as web server user is really hard for me to swallow.... any package managers like script should be run from the command line as a privileged user. should do it's set job and be bullet proof. On Wed, 2006-11-22 at 11:21 +0100, Oswald Jaskolla wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Wow,

Oswald Jaskolla wrote:

...

I am currently working on a system to automatically install modules.

looks like I really hit a nerve there. So let me clarify a few things:

- - Downloading and installing is only done on explicit request of the administrator. I am not Microsoft. - - Downloaded files are not less safe because they are downloaded via PHP. There is currently no checksumming available and apart from developers nobody looks into the code to see if it was tampered with. - - There are a lot of drupal installations for development and testing, that do not have the same security needs as production sites have. - - Typo3 does it.

The only security issue remaining is having write access to the modules directory. If the actual downloading and unpacking is done via a one time cron job, this cron job could temporarily alter the access mode of the target directory, minimizing the time that the directory is writable.

Greetings, - -- Oswald Jaskolla Ingenieurbüro Richard Schieferdecker Kreuzherrenstraße 2 52062 Aachen

Tel.: 02 41 / 409 54 43 Fax: 02 41 / 477 05 199 mobil: 01 64 / 941 06 75 eMail: oswald.jaskolla@schieferdecker.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFZCSquinSHQ/4/T4RAsUmAJ4sTVuIs5eKpQgOCn9sZ6QvOub7YwCeN39w pnLSOei74O+fQkwTaHF1sho= =aIUQ -----END PGP SIGNATURE-----