[development] Sympal script / module Fetcher as profile enhancement

Jean-Marie Renouard jmrenouard at gmail.com
Tue Mar 27 12:55:51 UTC 2007


Hi Bér,

I don't know why we can find a positive issue to this point. :)

We could have write permissions during the installation process and at
the end of the process a instruction such as permission restrictions
to read only on the module file.

I hope we can find a positive issue to this. In fact, I find this is a
great feature to be able to install contributed modules at the
installation time.

Even if this the module directory have write permissions, there is
many other part such databases, cache directory that have write
permissions.

What can we do to avoid or "work around' such problem ?

I find this is a great and wonderful feature in fact ! Can we find a
other way such "unsafe module directory" system or other ways like
this ?

This is because I don't know this is impossible that we can reach it :)

Jean-Marie


On 3/27/07, Bèr Kessels <ber at webschuur.com> wrote:
> Op dinsdag 27 maart 2007 10:02, schreef Jean-Marie Renouard:
> > The moduleFectcher is able to catch module from the official Drupal
> > web site and install it into the directory tree.
> >
> > There is several issues I know about security around such a process
> > and I am agree from it.
>
> The solution for the biggest secutity issue, in this system, is that you don't
> have to rnu it from the web.
>
> The security issue is: If your web-application can write (to) itself, you have
> a severe security hole.
> Hence: If your website can install and run modules and code itself you have a
> problem.
>
> sympal scripts is ran from the CLI.
>
> And no! That does not mean "but but but Joe User Does Not Know the CLI".:)  It
> is meant to be fired from scripts that are ran from secure applications (on
> the web). Such as webmin, plesk, or your dedicated
> System-Admin-Drupal-Installation, running off a separare webserver.
>
> The way I use it, is trough a script that I run from my desktop. It allows me
> to install modules w/o spending any time on the servers CLI. We still have
> plans to merge this into webmin, but until now it generally works fine
> enough.
>
> Bèr
>
>


-- 
Cordialement,
Jean-Marie Renouard


More information about the development mailing list