[development] let's cleanup /misc

vlado vlado at dikini.net
Thu Jan 5 18:04:22 UTC 2006


> > 1. Improve the security of a Drupal install by keeping all files
> > private, except for an index.php, no module or include files should be
> > accessible from a web browser
The biggest problem with this approach will be the install of contrib modules that add 
css files. IMHO drupal can be awkward for custom styling of modules.
There is a chicken and egg problem of which css files should come first.
Until this is solved there will be holes in the suggested approach. 
otherwise, in principle +1 for at least enabling such installs


> This will not increase security.
well not quite right there. It is a common sense security thing. There
are plenty of misconfigured|not allowed to use .htaccess|add you
favourite sites out there.

htaccess is an apache idiom. 


>  If .htaccess can not protect you, why would this? 
Simply because you won't have access from the web server to those paths,
so your config et al directories are safe. If they are safe, you don't
need to rely on extra filtering.

> And how would we ship the tarball...? Untar this half below  
> documentroot and index.php to documentroot...? /me shakes head

The majority of installs are either untarred locally or the people have 
shell access.

for both of the is valid untar

copy to "system" area
with this you will add copy to the "web" area

now system and web are one and the same

actually both world views can coexist and it is a copule of lines patch,
unfortunately I can't find this in the forums (I posted something like
that in the summer)


> You need to convince me that the current is not good. I tell you, this is  
> not easy.
The current is good, it can be made better. What the defaults should be
is another matter - probably highly flameable.



More information about the development mailing list