In line 233 of provision.config.inc, we set the drushrc file to chmod 0400. This prevents shell users who belong to the 'aegir' group from running some drush commands against sites from the CLI, as they can't open the drushrc.php file to load various attributes.

Can we afford to set this file to chmod 0440 and just ensure the 'group' is also 'aegir'? Do you foresee any major security issues with this? I can't, but I wanted to get some insight from anarcat or others.

Comments

chrisschaub’s picture

chrisschaub commented

They should be 0440 so sites can use acl to get drush working. The provision_acl module sets the group acl correctly for the client, but without the group bit set to read, it doesn't work. I don't see any security issues since the perms are aegir:aegir anyway. So, I second this change!

anarcat’s picture

anarcat commented

Go.

I fail to see how this would keep the provision_acl module from working though. But anyways, let's do it.

chrisschaub’s picture

chrisschaub commented

Great. What happens is that the acl permissions set the group bit via provision_acl. But, the file has no group read bit set. So, acl can't give you permissions that don't exist on the filesystem -- it can just add users to use the existing permissions. So, drushrc.php can't be read by drush or a client user via shell in a site directory. Changing to 0440 works well.

Thanks!

Anonymous’s picture

Anonymous (not verified) commented
Status: Active » Fixed

Fix committed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 4a0f515 on 6.x-2.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x by mig5: 
    Set permission 0440 on drushrc.php so group bit can read it. Solves #...
  • Commit 16e357b on 6.x-1.x, dev-drupal-8, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x by mig5:
    Set permission 0440 on drushrc.php so group bit can read it. Solves #...