Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Right now, since all settings.php files are owned by the www-data user, sites can read each other's database settings. That's a security issue that can be worked around using various techniques described in:
http://groups.drupal.org/node/12066
In any case, I feel that hostmaster should have plugins to manage permissions on those files depending on the technique chosen.
Comment | File | Size | Author |
---|---|---|---|
#7 | libnss-mysql.cfg_.txt | 1.46 KB | anarcat |
#5 | libnss-mysql.txt | 1.33 KB | anarcat |
Comments
Comment #1
anarcat CreditAttribution: anarcat commentedWe want to at least move the db_url into the apache environment so that sites can't access each other's databases. They will still see private file uploads and things like that, but at least damage is limited for 0.1.
Comment #2
adrian CreditAttribution: adrian commentedThe issue we have then is we can't rely on the settings in settings.php to install / synch / disable / etc sites.
This is an issue since we are only interfacing with drupal in command line mode. In HM1, i was parsing the vhost and setting up _SERVER vars by hand, but that was a hack. In this case i think we might need to use site.php instead of the vhost.
Comment #3
anarcat CreditAttribution: anarcat commentedThen maybe we just need to bite the bullet and properly setup file permissions and setup vhosts with fastcgi and proper permissions...
Comment #4
anarcat CreditAttribution: anarcat commentedI have made a lot of progress here.
I have built a hosting_itk and provision_itk modules that creates a vhost configuration file for the Apache ITK module. It's *almost* working: the file is created properly (through a new hook_provision_vhost_config()), the web_group is modified to be 5000 (hardcoded for now) + the client_id, and the webserver actually runs as that group. The only problem at this point is that the hosting task refuses to fix the permissions properly:
That would be actually true if I didn't make any other modification to my system. But I also experimented with libnss-mysql. I installed the libnss-mysql-bg package, which allows UID/GID <-> name mappings to be performed by MySQL. I have configured it to consult the Drupal 'users' and 'hosting_client' tables, the latter being the "group" "users" are part of...
It works on the command line:
Of course that's as root. If I add the "hostmaster" user to the "Administrator" group, it also works:
Note that I had to patch provision.path.inc so that it would take regular UIDs:
That hack is kinda crude and I probably should load that client and find its name, and chgrp on that, which may work.
I also needed this patch to make the settings.php fixed with the right perms:
... not sure this is right, though..
Anyways, long story short, this works in principle, but there are implementation problems at this point. There also may be performance problems, but I would need a much larger test scenario here.
Note that the libnss configuration is minimal:
I also include my configuration file.
Bottomline:
* works (or "should work" if it wasn't for PHP/provision.path.inc) as a module, marked as experimental
* depends on user/client relationship
* there will need to be a hostmaster users that is a member of every group for this to work
* needs benchmarking
Comment #5
anarcat CreditAttribution: anarcat commentedStupid drupal.org refused my file...
Comment #6
anarcat CreditAttribution: anarcat commentedI have committed some changes to provision described above so that ITK can work out of the box with HEAD.
I have also committed nodeapi hooks that automatically add the hostmaster user to the right groups when they are created.
I need to test all this.
Comment #7
anarcat CreditAttribution: anarcat commentedthe gid listings were broken in the nss configuration, here's an updated (fixed) config.
Comment #8
anarcat CreditAttribution: anarcat commentedI have imported ITK into provision HEAD now, but issues remain. Even though I committed code regarding that in hosting_itk, I still can't find a way to elegantly add the hostmaster user to every group created. Mainly because the Drupal users start at 1, so I have to add a "base uid" offset (GID_BASE, hardcoded to 5000 right now). This then means that the hostmaster user cannot be in that database because it's very likely to be created with a lower UID than GID_BASE. And anyways, the 'hostmaster user' isn't in the Drupal user database in the first place.
So in short, it's pretty hard to fix group memberships with 'real' unix users (in /etc/password) and groups define in the mysql database without some major hooplas. I even tried to make the hosting_client_user table to be unsigned, but that doesn't change anything because the libnss looks into the users table even for group lookups.
So the problem remaining still:
The symptom right now is this:
In fact, it's not that the group does not exist: it's that hostmaster isn't part of the group and therefore cannot change the ownership to that group. Example:
Right now, I see only two remaining solutions:
, backups, etc...)This is rather unfortunate and a major blocker at this point.
Comment #9
anarcat CreditAttribution: anarcat commentedAnother solution would be to put the hostmaster user directly in the mysql database, as a real drupal user, and then manage permissions properly.
Comment #10
adrian CreditAttribution: adrian commentedNot needed for 0.2 release.
Comment #11
anarcat CreditAttribution: anarcat commentedThis has actually been worked around pretty well by storing the credentials in the Apache environment, so I will close this for now. The rest of the discussion can happen in the broader #762138: Design security issue with developer access to sites' modules and themes.