Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By joly on
Hello,
I use opensource software for some while now. But there is an issue I really do not understand.
Why ?!? is the core of the software not installed OUTSIDE the www-root??
I think the main reason will be that it is easier, cause the programm is installed in one directory. And else it is more difficult cause it must be installed in 2 directories.
I recently choose drupal above joomla. One of the things I like from Drupal is the multi-site feature. When drupal can do this, why not take it a step further? And make a difference between core and wwwroot-part.
Greetz, Joly
nb. If this discussion already exists, can you please a link to it. I could not find it yet.
Comments
Install it wherever you want
Assuming you have a typical shared hosting setup or better, you can put Drupal in whatever directory you want (perhaps ~/drupal6), give that directory proper permissions, and point your websites at it using *nix, DNS, or Apache tricks.
Hello, Uh, yea sure. It is
Hello,
Uh, yea sure. It is not an how-to question, but more a why? hoping that it is changed.
Greetz, Joly
If your criteria is security...
I don't see how this is an issue because all calls to the directory are routed to Drupal's index.php . If you are thinking about convenience, you can put your uploaded files outside the webroot so they can be backed up easier or shared between your multisites. If you're thinking about something else, I didn't catch it, so please explain it again.
Well cause if you would 50%
Well cause if you would 50% of the people using drupal now wouldn't be able to install it. And while the aditional security you gain is probaly there you can't remotly access any relevant files normally anyway.
Maybe this helps you
http://www.google.de/search?hl=de&client=firefox-a&rls=org.mozilla%3Ade%...
What difference would it make?
What difference would that make?
Whether or not the core files are inside or outside the web root has no bearing on the ability/requirements of the web server to read and/or write to the core files.
ie the web server will need to read the files no matter where they are, and the web server should not be able to write to them no matter where they are either. The web server should not send the PHP source files to the browser no matter where they are stored either.
The only thing it gives you is one extra layer of things the server admin has to horribly misconfigure to make the server totally insecure. If you get to the point where that is all you have, then you're already in trouble.
--
Anton
Hi, Thanks for all your
Hi,
Thanks for all your reply's.
I think the question 'what difference ..?' is the wrong one.
A webserver gives us layers and with that security is given. We get root-dirs and a www-root.
Because it is easier we only use the www-root and then we have a security problem. So we start fixing our problem.
But when we use the server-security the problem would not exist.
So i think our start is wrong.
Let's solve the original problem ("installing the script should be easy") and while doing that we can even get a better script.
>> paths should be in a config-file
>> make variables to the core-paths and to the wwwroot
Then anyone can choose for himself if he install all inside the wwwroot or have a separate core-root.
The script itself will become better, cause the rule: 'dont hardcode data' is not violated anymore ;)
Also paths are more flexible and can be changed by the user.
Also are we more flexible where multisites are put.
I think with this there is no problem that 50% of the user can't install drupal. Cause drupal can still be installed in the wwwroot if you want to.
Greetz, Joly
security problem?
What exactly (technical explanation please) is the security problem? What exactly are the extra threats from having PHP files in your webroot?
Moving the files outside the webroot is effectively only giving you the illusion of an extra layer of security - and one that only applies in one or two contrived scenarios of sysadmin incompetence.
The only thing you are being "protected" against is mod_php getting turned off - which is pretty silly and near the bottom of the list of things to worry about. Web server access control on the sensitive files (eg settings.php) offers exactly the same protection in that contrived scenario anyway, and can be implemented much easier.
If someone exploits Drupal, those files are exactly as vulnerable inside the webroot as outside the webroot. The file permissions won't be any different.
If someone exploits something else on the server, those files are exactly as vulnerable inside the webroot as outside the webroot. The file permissions won't be any different.
--
Anton
It is not only the
It is not only the php-files. Drupal has many extensions. By putting that in the wwwroot those files can be viewed by explorer through http://
Outside the wwwroot, files cannot be viewed through http://
You can also ask something else: what is the point of putting files in the wwwroot when they are not supposed to be used directly via http://
Keep it clear:
- files that need direct access from http:// > those belong in the www-root
- all other are not needed in the www-root and shouldnt be there
And what do you think about the not-hardcode-principle ?
Greetz, Joly
Sounds like you might have a permission problem
Different webhosts have different ways of dealing with their shared environment. Mine uses phpsuexec, so php runs with my permissions, and no one else has write permission. There are now more advanced access control systems available. If php runs with root permissions, people can use it to crack other people's accounts on the server. If this is your situation, you should switch hosts.
Web server configuration
That is a web server configuration issue. The .htaccess file shipped with Drupal denies access to module files and includes. They will only be visible if either you use something other than Apache (in which case you need to tighten the security yourself), or your host doesn't let you secure those files (in which case I'd look for another host).
And besides what is the threat from anyone seeing those those files anyway? Do you have top secret custom code that is vitally important to your business? If not, Drupal is open source - people don't need to be able to view those files over the web to know what is in them. Even if they could see them, they still can't write to them.
The only files that usually need protecting are the settings.php file (ie it contains the DB access url), and the contents of those won't be visible unless you turn off PHP. And if you are paranoid enough to protect against that remote possibility, you could just add the settings.php file to the deny list in .htaccess.
The real threats to any web site is people exploiting vulnerable code - moving files outside the webroot does nothing extra to protect against that as the webserver still needs the same file permissions as it did before.
--
Anton
Uh tja.... that is a way of
Uh tja.... that is a way of looking at it. I cannot say that it is not true.
I still think: why take the risc. Why not use the root-layer as it is supposed. Only using the wwwroot when you really need to.
You don't need to bother about includes that are readable. Or settings.php with passwords inside.
By using the wwwroot for everything, you just créate a security problem.
And why not give the user a choice if he would like separate root and wwwroot
And what about the hard-coding -part? Using variables instead of hard-data.
Thanks for going into this discussion ;)
Joly
NB we have our own webserver with DA on apache/linux. I dont know anything about linux and i like it that way ;)