[development] RFC: letting modules phone home to check for new releases

[Anton]

On 22/11/06, Derek Wright <drupal at dwwright.net> wrote:
> your Drupal source files *DO NOT* have to be writable by the
> webserver process uid for "the files to be usable by Drupal" (!!!).
> the "files" directory is a special case, which is why a) it's been a
> source of numerous security issues and b) it should be handled with
> intensely defensive programming by anything that's touching it.

Yep, a very important aspect of web application security is to protect
the web application from itself. The web server can't tell the
difference between a legitimate request to overwrite application files
and one that has manipulated the application into doing so. Trust
nothing (or more practically trust as little as possible).

Ideally the web server and the web application shouldn't trust each
other. Changes to the application should be done "out of band" ie not
through the same medium the rest of the internet accesses the
application.

Of course, on a shared host there will be compromises that need to be
made. For instance phpsuexec effectively violates the "out of band"
idea by running the site as the "out of band" admin user, but it adds
protection against other sites on a shared host which is arguably more
important. When not on a shared host it would be better not to use
phpsuexec so running the app and changing the app are separated from
each other.

Hopefully that wasn't offtopic. Apologies for rehashing something most
of you are already fully aware of, I just wanted to reiterate what
Derek was saying in a slightly different way to make sure any less
experienced developers understood his point.

-- 
Cheers
Anton