The site.php file has the wrong permission, at the very least:

-rw-r--r--  1 hostmaster hostmaster  774 2008-11-07 15:54 site.php

That's not a big problem because the sites directory itself is only accessible to www-data.

However, i feel the sites/* directories should be owned by the hostmaster group and readable by all:

drwxr-x---  5 hostmaster www-data   4096 2008-11-07 15:54 .

There's no reason to restrict access to that directory (other than protecting the site.php file, which should have proper permissions in itself anyways).

In general, to allow access for developpers and others, the sites/ directory should have lax permissions.

CommentFileSizeAuthor
#5 perms.diff3 KBanarcat
#4 perms.diff2.97 KBanarcat
#3 perms.diff1.94 KBanarcat

Comments

anarcat’s picture

anarcat commented

Here are the permissions I would like on the directory:

drwxrwxr-x  5 hostmaster users      4096 2008-11-24 17:14 .
drwxrwxr-x 15 hostmaster hostmaster 4096 2008-11-24 17:14 ..
drwxrwsr-x  5 hostmaster users      4096 2008-11-24 17:14 files
drwxrwsr-x  2 hostmaster users      4096 2008-11-24 17:14 modules
-r-xr-x---  1 hostmaster www-data   1820 2008-11-24 17:14 settings.php
-rw-------  1 hostmaster hostmaster  778 2008-11-24 17:14 site.php
drwxrwsr-x  2 hostmaster users      4096 2008-11-24 17:14 themes

... where "users" should be configurable.

adrian’s picture

adrian commented

files needs to be owned by the web server group. It maintains readability / writeability for all files and paths created underneath that path using chmod g+S. You definitely do not want the file directory be writable by o+

themes/modules needs to be readable by the webserver, so I could see that maintaining the existing group on that could go. I would like to avoid more configuration though, so perhaps just leaving them in their original groups?

anarcat’s picture

anarcat commented
StatusFileSize
new perms.diff1.94 KB

A first attempt.

anarcat’s picture

anarcat commented
StatusFileSize
new perms.diff2.97 KB

Another attempt that fixes also the site.php perms.

anarcat’s picture

anarcat commented
StatusFileSize
new perms.diff3 KB

Another one that actually compiles and work:

drwxr-xr-x 5 hostmaster nogroup  4096 nov 27 18:12 .
drwxr-xr-x 7 hostmaster nogroup  4096 nov 27 18:12 ..
drwxrws--- 5 hostmaster www-data 4096 nov 27 18:12 files
drwxr-xr-x 2 hostmaster nogroup  4096 nov 27 18:12 modules
-r-xr-x--- 1 hostmaster www-data 1820 nov 27 18:12 settings.php
-rwx------ 1 hostmaster nogroup   780 nov 27 18:12 site.php
drwxr-xr-x 2 hostmaster nogroup  4096 nov 27 18:12 themes
anarcat’s picture

anarcat commented
Status: Active » Needs review

I'd like to have another pair of eyes before committing this.

Note that this doesn't resolve the issues underlined in http://drupal.org/node/334416#comment-1129042

anarcat’s picture

anarcat commented

New patch. Permissions on d5:

drwxr-xr-x  5 hostmaster nogroup  4096 nov 27 19:13 .
drwxr-xr-x 12 hostmaster nogroup  4096 nov 27 19:13 ..
drwxrws---  5 hostmaster www-data 4096 nov 27 19:13 files
drwxr-xr-x  2 hostmaster nogroup  4096 nov 27 19:13 modules
-r-xr-x---  1 hostmaster www-data 1820 nov 27 19:13 settings.php
-rw-------  1 hostmaster nogroup  1182 nov 27 19:13 site.php
drwxr-xr-x  2 hostmaster nogroup  4096 nov 27 19:13 themes

Perms on d6:

drwxr-xr-x  5 hostmaster nogroup  4096 nov 27 19:13 .
drwxr-xr-x 16 hostmaster www-data 4096 nov 27 19:13 ..
drwxrws---  5 hostmaster www-data 4096 nov 27 19:13 files
drwxr-xr-x  2 hostmaster nogroup  4096 nov 27 19:13 modules
-rw-rw----  1 hostmaster www-data 2059 nov 27 19:13 settings.php
-rw-------  1 hostmaster nogroup  1171 nov 27 19:13 site.php
drwxr-xr-x  2 hostmaster nogroup  4096 nov 27 19:13 themes

The latter is an issue, as the settings.php remains writable by the webserver. Drupal will yield a warning...

I'm committing the patch anyways, as this was probably the case before anyways.

anarcat’s picture

anarcat commented
Status: Needs review » Needs work

I verified that both sites work properly. Now we need to fix the perms on that settings.php file.

anarcat’s picture

anarcat commented
Status: Needs work » Fixed

I think this is mostly solved now, with the exception of security between sites, but that's another issue.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

  • Commit 0468eed on debian, dev-dns, dev-envobject, dev-koumbit, dev-log_directory, dev-migrate_aliases, dev-multiserver-install, dev-newhooks, dev-nginx, dev-platform_management, dev-ports, dev-purgebackup, dev-restore, dev-services, dev-simplerinstaller, dev-site_rename, dev-ssl, dev_716166_apache_conf, dev_dns, dev_server_verify, prod-koumbit, ssl, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by anarcat: 
    try to fix permissions by changing less stuff

See: #338657
  • Commit 87095dd on debian, dev-dns, dev-envobject, dev-koumbit, dev-log_directory, dev-migrate_aliases, dev-multiserver-install, dev-newhooks, dev-nginx, dev-platform_management, dev-ports, dev-purgebackup, dev-restore, dev-services, dev-simplerinstaller, dev-site_rename, dev-ssl, dev_716166_apache_conf, dev_dns, dev_server_verify, prod-koumbit, ssl, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by anarcat:
    Set proper file permissions after drupal install

Closes: #338657