Have I missed something?

Security Issue requires the modules and themes sub-folders of /sites to be not writeable by whatever user is running the Drupal php scripts.

Drupal 7 came with a new, significant improvement, which is that you can update a module to the latest recommended version from within the Drupal 7 admin UI. That should mean far fewer out-of-date installations. +1 from me.

But, if Drupal cannot write to the /sites folder, how would it perform such an update? Far from making an installation more secure, is it not less secure if it is harder to perform an update on a module?

I don't know if it makes any difference (I don't think so), but I'm running under a suPHP environment. That creates the additional module upload burden, in that the sites folder will be read-only for the owner (being the user who runs the PHP scripts), so they would have to chmod the folder before they can update a module manually.

I've just tested this. Installed a brand-new D7 site. Installed Mollom 7.x-1.0. Hardened the file system to make it 444 for files and 555 for directories. Logged in, looked for available updates, followed the wizard to update Mollom to 7.x-1.1, and got the error

Error installing / updating
File Transfer failed, reason: Cannot remove file {snip-full-path}/sites/all/modules/mollom/mollom.install.

Comments

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

It's a balancing question, for sure. Making the directory writable will make it easier for users to attack further and further into the site. On the other hand, keeping it writable will let you update faster lessening the likelihood of an attack.

You can always skip the check if you feel it's not appropriate for your site.

For someone who is looking for more security an upgrade process could be:
1. Chmod the files so they are writeable
2. Update modules
3. Chmod back
4. Confirm permissions with security_review.module

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

luco’s picture

luco commented

hey there,

you can use a few commands in Terminal to quickly change files' and folders' permissions. navigate to your Drupal installation then type as follows:

liberate everything:

find . -exec chmod 777 {} \;

lock files and folders

find . -type f -exec chmod 444 {} \;
find . -type d -exec chmod 555 {} \;

liberate all SITES/[sitename]/FILES folders and contents

find sites/*/files -type d -exec chmod 755 {} \;
find sites/*/files -type f -exec chmod 644 {} \;

try these out, let me know if it works for you.

cheers