? 418302-copy-settings-185.patch
? 418302-copy-settings-197.patch
? sites/default/files
? sites/default/settings.php
Index: INSTALL.txt
===================================================================
RCS file: /cvs/drupal/drupal/INSTALL.txt,v
retrieving revision 1.81
diff -u -p -r1.81 INSTALL.txt
--- INSTALL.txt	30 Jul 2010 01:59:14 -0000	1.81
+++ INSTALL.txt	14 Sep 2010 16:23:13 -0000
@@ -79,13 +79,15 @@ INSTALLATION
    http://drupal.org/project/translations and download the package. Extract
    the contents to the same directory where you extracted Drupal into.
 
-2. CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS
+2. IF NECESSARY, CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS
 
    Drupal comes with a default.settings.php file in the sites/default
    directory. The installer uses this file as a template to create your
    settings file using the details you provide through the install process.
    To avoid problems when upgrading, Drupal is not packaged with an actual
-   settings file. You must create a file named settings.php. You may do so
+   settings file. During installation, Drupal will try to create this settings
+   file automatically. If this fails (which it can due to different server
+   setups), you must create a file named settings.php yourself. You may do so
    by making a copy of default.settings.php (or create an empty file with
    this name in the same directory). For example, (from the installation
    directory) make a copy of the default.settings.php file with the command:
Index: includes/install.core.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/install.core.inc,v
retrieving revision 1.28
diff -u -p -r1.28 install.core.inc
--- includes/install.core.inc	1 Sep 2010 01:24:05 -0000	1.28
+++ includes/install.core.inc	14 Sep 2010 16:23:13 -0000
@@ -1568,7 +1568,7 @@ function install_check_requirements($ins
     $exists = FALSE;
     // Verify that the directory exists.
     if (drupal_verify_install_file($conf_path, FILE_EXIST, 'dir')) {
-      // Check to make sure a settings.php already exists.
+      // Check if a settings.php file already exists.
       $file = $settings_file;
       if (drupal_verify_install_file($settings_file, FILE_EXIST)) {
         // If it does, make sure it is writable.
@@ -1587,6 +1587,37 @@ function install_check_requirements($ins
         'description' => st('The @drupal installer requires that the %default-file file not be modified in any way from the original download.', array('@drupal' => drupal_install_profile_distribution_name(), '%default-file' => $default_settings_file)),
       );
     }
+    // Otherwise, if settings.php does not exist yet, we can try to copy
+    // default.settings.php to create it.
+    elseif (!$exists) {
+      $copied = drupal_verify_install_file($conf_path, FILE_EXIST|FILE_WRITABLE, 'dir') && @copy($default_settings_file, $settings_file);
+      if ($copied) {
+        // If the new settings file has the same owner as default.settings.php,
+        // this means default.settings.php is owned by the webserver user.
+        // This is an inherent security weakness because it allows a malicious
+        // webserver process to append arbitrary PHP code and then execute it.
+        // However, it is also a common configuration on shared hosting, and
+        // there is nothing Drupal can do to prevent it. In this situation,
+        // having settings.php also owned by the webserver does not introduce
+        // any additional security risk, so we keep the file in place.
+        if (fileowner($default_settings_file) === fileowner($settings_file)) {
+          $writable = drupal_verify_install_file($settings_file, FILE_READABLE|FILE_WRITABLE);
+          $exists = TRUE;
+        }
+        // If settings.php and default.settings.php have different owners, this
+        // probably means the server is set up securely (with the webserver
+        // running as its own user, distinct from the user who owns all the
+        // Drupal PHP files). Keeping settings.php owned by the webserver would
+        // therefore introduce a security risk. It would also cause a usability
+        // problem, since site owners who do not have root access to the file
+        // system would be unable to edit their settings file later on. We
+        // therefore must delete this file and force the administrator to log
+        // on to the server and create it manually.
+        else {
+          drupal_unlink($settings_file);
+        }
+      }
+    }
 
     // If settings.php does not exist, throw an error.
     if (!$exists) {