Allowing Apache to write files

Events happening in the community are now at Drupal community events on www.drupal.org.
greggles's picture
Posted by greggles on November 8, 2010 at 10:18pm

There was recently a presentation about whether or not it's safe to let the webserver write to your document root:

http://www.pcworld.com/businesscenter/article/209860/how_default_app_ins...

This is something I've heard our community go back and forth about. I'd like us to come to a more solid position on the topic.

He also cites granting more mysql permissions than necessary as a mistake (one we avoid, though we could be a bit more strict...do we need the permission to drop tables, for example?).

Comments

Uninstall Functionality Requires Drop Tables Permission

Posted by Shai on December 20, 2010 at 3:46am
Shai's picture

Greg and all,

Given that the "uninstall modules" feature is part of Drupal core and considered a best practice to use... it seems like it would be hard to generically recommend that the drupal database user not have drop tables permission.

Certainly a knowledgeable site maintainer tightening down a critical site may be willing to give up the uninstall modules via the UI functionality in exchange for a more secure site; but that would be a more idiosyncratic case.

Would you share a list of the mysql permissions you assign for the database user for a typical install?

As for your first issue, re: policy about the webserver being able to write/or not to the document root... One thing that is hard is that there are so many different server configurations.

On my server I'm using suPHP... which removes the ability of the webserver to write to the document root, but does it in a way, that I gather, a lot of Drupalers don't like.

It's been good to me... but I'm still trying to figure it all out. Actually, just today I posted an issue to the security_review module (http://drupal.org/node/1002686) because I suspect that the file permissions part of the report fails to produce useful data for servers running suPHP.

Anyway,

Thanks much,

Shai

Shai Gluskin
Content2zero

suPHP test

Posted by greggles on May 20, 2011 at 11:30pm
greggles's picture

I personally just use the default Drupal INSTALL.MYSQL.txt permissions.

I've just written http://drupal.org/node/1153486 to try and do a better test related to suPHP environments.

It will actually try to write to files in your directory, so it's guaranteed to be a "good" test.

knaddison blog | Morris Animal Foundation

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: