please secure the 'sites/default/files/backup_migrate/scheduled' directory
| Project: | Backup and Migrate |
| Version: | 6.x-2.x-dev |
| Component: | Miscellaneous |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Jump to:
Maybe this should have been a support request, I'm not sure. After installing new dev version of this module (on Drupal 6.13) I get the above security notice. I have recursively removed permissions for everything (read, write, execute) for both the group and other, in the backup_migrate directory under sites/default/files. (I left /sites/default/files alone) I'm still getting the above notice.
Then I created a destination (at admin/content/backup_migrate/destination) in /var/www/lighttpd/backup and also un-selected the 'enabled' on scheduled backups and I'm still getting the above error -- here's the entire error:
Security notice: Backup and Migrate will not save backup files to the server because the destination directory is publicly accessible. If you want to save files to the server, please secure the 'sites/default/files/backup_migrate/scheduled' directory
Now when I try to access my modules under site building, I get a blank white screen. Other pages give me the above error; but modules won't come up at all so I'm going to delete this module and hope the rest will come up. Thankfully this is my local system and not my live site.
#1
I deleted the module and the WSOD went away -- and in reading a page on the WSOD I decided info from my error log might be more helpful than what I originally posted -- so here it is:
location: http://localhost/index.php?q=admin/content/backup_migrate/schedule
refer... http://localhost/index.php?q=admin/content/backup_migrate/destination
M... call_user_func_array() [<a href='function.call-user-func-array'>function.call-user-func-array</a>]: First argument is expected to be a valid callback, 'backup_migrate_menu_callback' was given in /var/www/lighttpd/includes/menu.inc on line 348
Hostname 127.0.0.1
There's also a log entry from when I first installed the upgraded module or ran update.php that says:
One orphaned action (backup_migrate_backup_action) exists in the actions table.It then gives me the option to remove orphaned actions, but I'm not sure what that action is.
#2
I suspect you meant to post this to the backup and migrate issue queue not the 'backup and migrate files' issue queue so I've moved it there.
As to your issues. What webserver are you running? Apache? IIS? Something else?
I probably can't help with the specifics of securing the files on your server but I think at very least you shouldn't be getting any warnings when you disable the default destinations.
The WSOD is a separate issue which I believe is fixed now.
The action is a b&m action which was presumably left behind when you uninstalled the module. If you are not using backup and migrate you should probably allow that to be deleted.
#3
As you can see, the user posting this thread (CiaW) is using lighttpd.
I'm using lighttpd too, and I'm experiencing the same issue after upgrading the Backup and Migrate module to 6.x-2.x-dev.
I recieve errors that tell me the backup destination directories are not secure. If I chmod them to something secure (like 655, but i've tried various), the Backup and Migrate-module starts complaining it has no write access to .htaccess files in these folders. Since I'm using lighttpd, there's really no need for apache configuration files, so this check is not in the right place.
For now I will return to the stable version, but it seems some consifderating should be given to servers other than Apache.
#4
Your backup directory will need to be writable by the webserver for backup and migrate to work so if you're getting messages that there's no write access to the files then you'll need to switch the directory permissions back.
The module will want the .htaccess file to be in there (for it's own peace of mind :)) so as long as it's not negatively affecting lighttpd then just leave it as is. You will need to find another way to make sure the contents of the file are not being served up publicly by the web server. Is there a way to password protect a directory using lighttpd?
If you can't find a way to stop lighttpd from serving the files in the backup directories then the best thing you can do is edit the default destinations to point to directories outside your web root. That way they won't be remotely readable and the backup and migrate security checks should succeed.
Does this make sense?
Ronan
#5
I'm also using lighttpd had this problem. I put the following lines in my lighttpd.conf file and was able to proceed with backing up my database.
$HTTP["url"] =~ "^/sites/default/files/backup_migrate/" {url.access-deny = ( "" )
}