I just performed a Panopoly upgrade on a dev site I'm working on and it went well. However the Security Review is showing 6 errors out of a possible 10 items and I haven't altered the basic Panopoly at all, I just added some modules and content. I'm wondering if these errors are normal for Panopoly and whether there are any guidelines for fixing them if they are typical for Panopoly.
I have fixed a few issues such as adding a base URL to the settings.php and "Errors are written to screen." But I'm not sure how to fix
"PHP files in the Drupal files directory can be executed."
Does this refer to sites/default/files? I searched and did not find any php files there. I certainly don't want to tamper with anything in the distro folders.
I also don't know what to do about "Some files in your directories are writable by the server." I have a huge number of files it found as writable, so I'll have to talk to my sysadmin.
Anyway, if anybody know what files directory Drupal is referring to when it says "PHP files ... can be executed," it would be extremely helpful.
Thanks,
Peter
Comments
Drupal folder/file permissions
This is more a general Drupal file/permissions question than Panopoly specific. Take a look at this page on Drupal folder/file permissions. It explains what the settings should be and even includes a bash script you could use to apply the recommended settings.
https://www.drupal.org/node/244924
-
@foggyperspectiv | foggyperspective.com (blog)
admin/reports/status
Also check the main admin/reports/status page, it'll have some indications as to what the problems might be regarding permissions and other issues.
Most of those are webserver related...
Thanks for posting! Security is a topic that is very important to the Panopoly maintainers and contributors.
Definitely take a look at the things Damien and caschbre wrote above! As they noted, most of this stuff has to do with webserver configuration. (And thanks to them for responding to this so quickly!)
Regarding:
Yes, if you're not using multisite and the default directory location, that is referring to sites/default/files. It doesn't matter that there aren't any PHP files in there right now, what it's complaining about (I think) is that your webserver is configured such that it would execute a PHP that was located there.
Anyway, for that stuff, unfortunately, there isn't anything we can change in Panopoly to help.
We could theoretically change the default to prevent "Errors are written to screen." but that could cause confusion when working on a site before taking it live. And Panopoly's default is the same as vanilla Drupal's, and so the same expectations and "go live" processes apply.