Posted by greggles on February 27, 2012 at 10:42pm
this is an issue from dww that was internal on s.d.o - we're removing stuff from that queue if it doesn't really really need to be private:
That's great. But, that seems like you're talking about configuration *within* your Drupal site. I think we should at least have a page, if not a section, outlining some of the things that average Drupal admins, even on shared hosting accounts, should be aware of *outside* their Drupal installation. I know we don't want to get into the business of providing and maintaining generic documentation on how to be a security-conscious sysadmin. Unfortunately, I don't think we can assume a base-level understanding of the issues, and reading through these docs once might be the only thing that many Drupal admins ever do to educate themselves. We should at least provide a place to introduce people to some things to be aware of and provide links to other sources of information.
We've had to strike the right balance on this before, for example, in the CVS handbook. I didn't want to duplicate the effort of a CVS manual, but at the same time, I couldn't just assume everyone had read one, and sometimes I had to introduce some basic concepts myself, and provide links to existing manuals for more info.
Rough sketch of some of the things this section could contain:
- File ownership and permissions
- Protecting info about how to connect to the site's DB
- The security implications of the 'files' directory and what to do about them
- What to do about your site's temp directory, why /tmp can be a scary place, etc.
- .htaccess considerations
- Restricting access to update.php and cron.php (it's too bad this has to live in the "outside Drupal" section of the docs).
- Warnings about why FTP is insecure to encourage people should seek more secure alternatives
Thoughts? Is this opening a can of worms? Do people agree at least a brief introduction to some of these things and pointers to other docs would be worth adding? Any other suggestions for what we should cover here?