http://drupal.org/node/327888 hilighted the sensitive issues surrounding the permissions around the files in the platform.

I *think* things are mostly fine now: settings.php files are readable only by the webserver, provision.settings.php is readable only by hostmaster. However, the files in sites/ are generally owned by the 'nogroup' group which is wrong. It should probably be the 'hostmaster' group instead.

Also, if all settings.php files are owned by the www-data user, then sites can read each other's database settings and that's an issue, so even the 'www-data' ownership is an issue, even if it's a seperate issue.

Comments

anarcat’s picture

anarcat commented
Status: Active » Postponed (maintainer needs more info)

I am not sure this is still the case, i feel like i fixed this now.

adrian’s picture

adrian commented

I feel that this can be closed.

we solved the settings.php reading by using the virtual host workaround.

adrian’s picture

adrian commented
Status: Postponed (maintainer needs more info) » Closed (fixed)

closing