Home » Download » Modules » Backup and Migrate » Issues

Security notice with Aegir

butler360 - November 2, 2009 - 07:43
Project:Backup and Migrate
Version:6.x-2.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active
Description

I'm not totally sure which issue queue this should go in, but the error message is coming from this module so I'll start here.

When migrating a site that has been working just fine with Backup Migate to an Aegir platform, I get this message during the verification stage:

Security notice: Backup and Migrate will not save backup files to the server because the destination directory is publicly accessible. If you want to save files to the server, please secure the 'sites/[mysite].com/files/backup_migrate/manual' directory

Security notice: Backup and Migrate will not save backup files to the server because the destination directory is publicly accessible. If you want to save files to the server, please secure the 'sites/[mysite].com/files/backup_migrate/scheduled' directory

I've checked permissions on those directories and files. I've set everything to what it was before when it was working, a combination of 755 and 644 I think, and even tried very strict permissions for all of the files and directories. Every time I go and check the permissions after requeuing the verification, I find everything set to 770.

I bypassed this step on another site by removing the module from the platform and then re-adding it after the site had migrated, but then it would complain that it can't write to the directory, not that it's insecure. So I'm not sure how to satisfy this security check.

» Login or register to post comments

#1

butler360 - November 19, 2009 - 08:31

Still having the same problem. Should this go in another issue queue?

Login or register to post comments

#2

ronan - November 26, 2009 - 19:56

I've never used aegir so i'm not familiar with the specifics of this issue but I can explain the basics of securing the backups directory and maybe that will help.

Backup and migrate needs to be able to write to the backup directory but it is important that files in that directory are not remotely accessible (ie: not being served up by the web server). The module does a check to see if the directories are secure by writing a test file to the directory and then attempting to access it via http (by trying to download it from http://[mysite.com]/sites/[mysite.com]/files/backup_migrate/manual/test.txt, or wherever). If it is able to read this file remotely then it assumes the directory is insecure it gives an error.

To secure this directory, backup and migrate adds a .htacess file to the directory which instructs apache to deny any http requests to files in that directory. It's possible that somewhere in the Aegir process this procedure of adding the .htaccess file and checking the remote access is not working as expected.

Does this make sense?

When I get some time I'll set up an Aegir environment and see if I can reproduce this issue.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.