By seancharles on

Security warning: making your modules directory writeable by Apache is strongly discouraged so is using this module. chx

Hi,

In response to a recent post I made, I have pleasure in announcing my first Drupal 5 module. It allows you to download and install a Drupal 5 module just by dragging, dropping and clicking (Firefox only, everybody else has to cut and paste the link!).

The reason for this module is so that I can set up Drupal 5 sites quickly and easily just by selecting a module '.tar.gz' file and clicking an Install button. It makes installation completely painless, try it, it's almost funny how simple it is!

For the time being the module is available at this location: OBJITSU Remote Install and will stay there until my ISP screams band-width at me ;-) Just download, unpack and transfer the 'reminst' folder into the modules directory and hopefully it could be the last module you ever install the hard way.

Basically it lets you set up the file locations for downloading the package and and for installing the module. For normal use the downloads can be 'files/tmp' and the modules folder must be the modules folder for your Drupal site. It is very good for 'grazing' i.e. finding out what modules exist out there and quickly downloading them to see what they can do for your site.

Please make sure that the permissions are set for reading and writing or the operation will fail. If it does fail then you will see a list of all generated error messages that were picked up along the way. If the operation is good then the new module should now be present on the modules page ready for you to activate and configure as you want.

I can't believe how beautiful the API for Drupal 5 is; it puts some commercial API's to shame, and after 21 years in the business I feel qualified at least to say that much. It has been a pleasure to write this module and hand it back to other users, I sincerely hope that you find it useful and any ideas for improvements will be welcomed.

I currently have another version that downloads (ftp_nlist) from Oregon State University site the list of modules and filters for *-5.x-* entries but there are just too many in the list and it would not be pleasant... If anybody knows of a way to make this work then I would love to extend this module to allow 'multiple selection' and a list based interface to the complete set of modules.

I also thought about a password field on the install page as well but you already have to log in so it seemed a bit of a waste of time. I have not really considered the security aspects. Would a 'captcha' be worth the effort ?

I don't plan to do a 4.7 version but may, just maybe...!

LONG LIVE MODULE GRAZING :-)

PS: How do I go about getting this module added to the official Drupal 5 module set ? I would consider it a lifelong honour of this module made it into the core package. For me, it allows non-technical people to just point-and-click to install any module they care to select.

Thanks,
Sean Charles.
OBJITSU

Categories: Drupal 5.x

Comments

dshaw’s picture

dshaw commented

I haven't tried it out, but IMHO this is the last piece in making the installation of drupal truly admin-friendly. Sure, many of us are comfortable with the command line and tar and gzip, but being able to install a module via your browser is very handy. Especially if your hosting provider doesn't give you command-line access. It also catches Drupal up to Joomla. Well done. Looking forward to playing with this.

litwol’s picture

litwol commented

considering serious security risks with this. can a security specialist evaluate this module?

also, can this module be integrated with status update module? http://drupal.org/node/124187

Sometimes something interesting appears on http://litwol.com

seancharles’s picture

seancharles commented

Already got it planned!

Once this module becomes a stable, off-the-shelf item, for example, does not cause problems like it did for Martin and CiviCRM then I am going to look into this because I would love to be able to add a button on the Install pages that says 'Check For Updates and Install Them Right Now'. Well, the button text may be shorter!

I think that calling the Update modules, grabbing the output and then presenting a list of modules that needed updating, along with a checkbox and a GO button would be a very nice feature. Potentially I can hook it inas a cron job so that your site always updates automatically. The other alternative is that the Update output screen has an 'UPDATE NOW' button that calls my module instead, whatever people feel is the grooviest solution.

I just installed (effortlessly of course) the Update Module using my module with a view to making them play nicely together. I can see some road ahead where the Release Monitor, Update Module and the Remote Install Module become a single lump of code called 'Your Name Here' to provide an all encompassing site module management package.

Personally the thought of a live web-site automatically updating scares the crap out of me. :-)
Let's get it stable first!

Security Considerations...
I too would be interested as I did consider it before I started. Like I said,I was going to ask for the admin password on the install page but presumably the admin is already logged in at this point. It would be useful for example, if the admin has wandered off leaving the admin user logged in (sack him!) and a malicious person came along...

From a scripting attack / SQL injection etc perspective, I am using ZERO SQL and I have made full use of the Drupal API so on the surface of it, it's as secure as any other Drupal 5 module. What that means in reality I have no idea.

Apart from that I can't really think of any other vulnerabilities. If the tar.gz file contained a malicious module that was unpacked and installed then, on hitting the modules page and executing any install code I guess it could trash the database or do something nasty with unlink() but that would not be the fault of the Remote Install, it would be the module, which, however it was installed would still have done the same thing.

The security black-hats have us all running scared!

Sean Charles

killes@www.drop.org’s picture

killes@www.drop.org commented

In order for this module to work, your /modules directory needs to be writable by the webserver which is a very bad idea. I advise against using this or similar modules.
--
Drupal services
My Drupal services

--
Drupal services
My Drupal services

mac_perlinski’s picture

mac_perlinski commented

Well taking into account that drupal is a platform for webdevelopers who anyway write some code and save it on the server, i think security is more important than risking the good name of the platform because we are lazy and don't feel like uploading modules. I belive this should be only installed on the dev server when the security level can be lower comparing production site. So if you feel like use it on production server and than upload the whole drupal structure (without this module) to the production site.

--
kindest regards
Maciej Perlinski
http://www.meant4.com
maciej.perlinski@meant4.com

Anonymous’s picture

Anonymous (not verified) commented

After installation of the module in sites/test.domain/modules/ and direct after turning on the module:

Fatal error: Cannot redeclare _pear_call_destructors() (previously declared in /usr/lib/php/PEAR.php:771) in ........./public_html/drupal/modules/civicrm/packages/PEAR.php on line 796

Yes I have CiviCRM also on my test site .

After switching off civicrm and placing it out of the modules map the installation goes well but in admin/build/modules/reminst:

Fatal error: Cannot use string offset as an array in ........../public_html/drupal/modules/system/system.module on line 1431

It is not yet .... my last hard module installation .... ;=)

Martin

litwol’s picture

litwol commented

From your description it is easy to understand that those errors happened because of incorrect namespace handling.

it can easily be fixed by inserting a check if pear module is loaded before its called again inside civicrm and/or this new module.

Sometimes something interesting appears on http://litwol.com

seancharles’s picture

seancharles commented

Martin,

OK, maybe I was a little presumptuous about it being the last installation the hard way! I am a little confused about the error though. The ISP that I use *does* provide a PEAR installation to use but I didn't want to take the chance that some other ISP may not have it which is why I included the files.

However, I have used the 'require_once' approach to do so as I did consider that they may already have been dragged in somewhere along the chain before my module gets a shout.

reminst.module --> require_once('obj_remoteinstall.php');
obj_remoteinstall.php --> require_once('Tar.php');
Tar.php --> require_once('PEAR.php');

My conclusion is that, and somebody please tell me I am wrong on this, that the CiviCRM file set must be using files and *not* using the require_once tactic and thus causing a re-definition.

If that is a correct deduction then I can emit a smug grin and say 'Not my fault' and ignore your problem. However, if it is incorrect and it is my fault, then I'll fix it ASAP as I want this to be a *really useful engine* of a module for Drupal 5. It absolutely kicks butt for an open source CMS. I use Joomla a lot because Virtue-Mart 'feels better' than the current e-commerce module set but I have just completed a Drupal e-commerce site and it wasn't that bad either.

So, somebody tell me my mistakes and I will fix it as soon as I can and update the download or downdate the upload or whatever it is we do.

It's a shame it didn't work out of the box thought because I have been using it a day or two and I can't beleive how much time I have saved myself!

Thanks for the feedback,
Sean Charles

cosmicdreams’s picture

cosmicdreams commented

According to this post: http://forum.civicrm.org/index.php/topic,3708.0.html , Civicrm has "made few modifications to some of the pear packages".

seancharles’s picture

seancharles commented

Martin.

Essentially, NOT GUILTY!!
I have been doing some reading around and this page sheds some light on the issue you had with getting the error message:

Fatal error: Cannot use string offset as an array in ........../public_html/drupal/modules/system/system.module on line 1431

Have a read, it's dated 2004 but it got me started: http://bugs.php.net/bug.php?id=28107 for some background, eventually I devised a solution.

The 'fix' is to replace the function in system.module, "system_module_build_dependencies()" in two places:

FROM:

      if (!$module->status && $form_values['status'][$name] && isset($module->info['dependencies'])) {

TO:

      $temp=$form_values['status'];
      $temp=$temp[$name];
      if (!$module->status && $temp && isset($module->info['dependencies'])) {

and...FROM:

    if (!$form_values['status'][$dependency] && isset($modules[$dependency])) {

TO:

          $temp1=$form_values['status'];
          $temp1=$temp[$dependency];
          if (!$temp1 && isset($modules[$dependency])) {

This notation could/must be used in all sorts of places so I think that the issue is more to do with PHP 5 than anything else, better minds than me can comment on it.

I am going to make a post on this issue and see what comes out of the woodwork.

Sean Charles.

vm’s picture

vm commented

to get the module distributed on drupal.org in the modules area, one would have to create a CVS account see: http://drupal.org/handbook/cvs

jivyb’s picture

jivyb commented

Hi. I'm trying to get my 5.1 test site going and would like to use this module to test other modules. I've installed it and enabled it and now what do I do next? How do I to use it to drag and drop in Firefox? I didn't see a readme or anything and the module doesn't come up in the user/permissions list in the admin. I'm sure I'm missing something obvious, can anyone enlighten me?

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

I recently updated the page in the handbook about filesystem access that is within the section of the writing secure code handbook.

This module ignores quite a bit of the advice in there and requires configuration that is against the best practices. I'm adding this comment to give more clarity about chx's warning and also to subscribe to the issue.

This is an OK idea for a test server that's running on your workstation as long as you always keep that machine very safe behind firewalls. It should not be used in production.

--
Open Prediction Markets | Drupal Dashboard | Learn more about Drupal - buy a Drupal Book

--
Morris Animal Foundation

seancharles’s picture

seancharles commented

Wow, time flies!

I thought I'd check out my old module contribution and your comments about me ignoring advice are probably true for the simple reason that I never knew anything about the information you refer to, and in addition as I stated in the intro, it was intended for development mode only.

So, right on both counts but I already knew that!

:)
Sean Charles.