Safe file system permissions

This group is named after the test "Safe file system permissions" of the module "Security Review". Our mission is to get the test "green" on every drupal system. It's not about discussing the best practice. It's about fighting against ignoring the best practice.

With Drupalgeddon (SA-CORE-2014-005 - Drupal core - SQL injection) we had massive attacks on drupal sites for just turning them into "Spam-Machines". For the hackers it was easy to get additional php files on drupal sites with "unsafe file system permissions" outside the special folders like "tmp" and "files" (which can be protected for PHP execution e.g. with standard .htaccess-files on apache webservers).

Drupal administrators with access to deeper server configuration can follow the guidelines for Securing file permissions and ownership. But there are too many managed webspaces out there where the options are limited to configure a drupal system in a safe way. This group is for preparing and coordinating activities to change this situation. Especially hosting providers which are selling their products for drupal hosting should be contacted with help of the drupal association.

Until there is no concept to handle a self-updating possibility via the webserver (and not with drush via ssh for example) in a secure way we think this functionality is more a bug than a feature.


C_Logemann's picture

Proposed Session (german) on Drupalcamp Essen 2015 (in October)

It's important to spread the information to local users and companies. So this is a proposed session on a primary german speaking drupalcamp. So the language of the linked proposal is german. But the content is similar to the group description:
http://drupalcamp-essen.de/15/session/sichere-dateirechte-wissen-verbrei...

Additional there will be a small demonstration to configure an Apache FCGI Setup with Suexec and how to configure a managed hosting at the only bigger provider I know (Hosteurope).

Read more
greggles's picture

consider merging this group into /security?

I don't see this as a broad or interesting enough topic to be worth its own group.

I believe that all of the conversations that would happen here are just as on-topic in the https://groups.drupal.org/security group.

Read more
Subscribe with RSS Syndicate content