[development] RFC: letting modules phone home to check fornew releases

Metzler, David metzlerd at evergreen.edu
Wed Nov 22 23:27:43 UTC 2006

I know that this is a sensitive issue, and I'm certainly interested in security so,  I though that I'd point out that there is already some drupal functionality, if memory serves, for creating the settings.php file from the web interface at install time, which would seem to require that you make your sites directory writeable by the www user. Because in the end its all code that gets executed within drupal, I think there's not much difference between being able to write to settings.php and being able to write to the modules directory (IMHO).

So from a security perspective, it seems to me we've already crossed this bridge.  I could put just as damaging code in the settings.php file as I could in any module directory the way drupal is architected. 

I agree that command line tools would be a really nice feature, but I thought that the discussion of being creeped out regarding the modules directory was promoting a false sense of security.  


-----Original Message-----
From: development-bounces at drupal.org [mailto:development-bounces at drupal.org] On Behalf Of Darrel O'Pry
Sent: Wednesday, November 22, 2006 2:05 PM
To: development at drupal.org
Subject: Re: [development] RFC: letting modules phone home to check fornew releases

write perms to modules directory from drupal as web server user is really hard for me to swallow....

any package managers like script should be run from the command line as a privileged user. should do it's set job and be bullet proof.

On Wed, 2006-11-22 at 11:21 +0100, Oswald Jaskolla wrote:
> Hash: SHA1
> Wow,
> Oswald Jaskolla wrote:
> > I am currently working on a system to automatically install modules.
> looks like I really hit a nerve there. So let me clarify a few things:
> - - Downloading and installing is only done on explicit request of the
>   administrator. I am not Microsoft.
> - - Downloaded files are not less safe because they are downloaded via
>   PHP. There is currently no checksumming available and apart from
>   developers nobody looks into the code to see if it was tampered with.
> - - There are a lot of drupal installations for development and testing,
>   that do not have the same security needs as production sites have.
> - - Typo3 does it.
> The only security issue remaining is having write access to the 
> modules directory. If the actual downloading and unpacking is done via 
> a one time cron job, this cron job could temporarily alter the access 
> mode of the target directory, minimizing the time that the directory is writable.
> Greetings,
> - --
> Oswald Jaskolla
> Ingenieurbüro Richard Schieferdecker
> Kreuzherrenstraße 2
> 52062 Aachen
> Tel.: 02 41 / 409 54 43
> Fax: 02 41 / 477 05 199
> mobil: 01 64 / 941 06 75
> eMail: oswald.jaskolla at schieferdecker.com
> Version: GnuPG v1.4.5 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFFZCSquinSHQ/4/T4RAsUmAJ4sTVuIs5eKpQgOCn9sZ6QvOub7YwCeN39w
> pnLSOei74O+fQkwTaHF1sho=
> =aIUQ

More information about the development mailing list