The database backup is readable by all, which makes it accessible by the webserver. The mode should at least be safe enough so that the webserver cannot read it (umask 077 or something).

Comments

anarcat’s picture

anarcat commented
Title: provision backup creates world-readable backup of the database in sites/foo.example.com » backup creates world-readable backup of the database in sites/foo.example.com

There's actually two problems here:

1. in some cases (interruption?) backup leaves the file lying around (this is more likely a drush issue, see #590634: interruptions should launch rollbacks), and;
2. more importantly: the file is world-readable. this is the issue at hand here.

Anonymous’s picture

Anonymous (not verified) commented

Doesn't the database dump get deleted post-backup and post-restore?

And backups live outside the document root?

Or are you talking about the fleeting moment where it drops it in database.sql before tarring up the whole directory?

Edit: nevermind I see you point out that an interruption will leave the dump lying around. Helps if I read properly :)

Anonymous’s picture

Anonymous (not verified) commented
Status: Active » Fixed

Think I've fixed this in HEAD, file is chmod to 600 on successful writing of the dump file.

anarcat’s picture

anarcat commented
Status: Fixed » Needs work

Yeah, so that's what I'm talking about: the database.sql gets created with too permissive... permissions. That file can be read while the dump is created, even if the permissions are fixed in the end. It needs to be created with the proper permissions (you can use umask for that).

Anonymous’s picture

Anonymous (not verified) commented
Status: Needs work » Fixed

A better fix committed to HEAD. Thanks

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 9818bf9 on debian, dev-dns, dev-envobject, dev-koumbit, dev-log_directory, dev-migrate_aliases, dev-multiserver-install, dev-newhooks, dev-nginx, dev-platform_management, dev-ports, dev-purgebackup, dev-restore, dev-services, dev-simplerinstaller, dev-site_rename, dev-ssl, dev_716166_apache_conf, dev_dns, dev_server_verify, prod-koumbit, ssl, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by mig5: 
    #590506 - make mysqldump file non-readable by webserver while executing...
  • Commit 1da651a on debian, dev-dns, dev-envobject, dev-koumbit, dev-log_directory, dev-migrate_aliases, dev-multiserver-install, dev-newhooks, dev-nginx, dev-platform_management, dev-ports, dev-purgebackup, dev-restore, dev-services, dev-simplerinstaller, dev-site_rename, dev-ssl, dev_716166_apache_conf, dev_dns, dev_server_verify, prod-koumbit, ssl, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by mig5:
    #590506 - set umask so that dump is generated with safer permissions. A...