I'm not sure if this is a valid bug or just my box. My system specs: Ubuntu Dapper, Apache 2.X and PHP 4.4.2.

I grabbed Drupal 5.0 beta 1 and did the ff steps:
- untar, and put in my document root.
- created the database.
- change ownership of sites/default/settings.php to www-data.www-data (owner and group) which is the user running the apache
- change the file permission (chmod) of sites/default/settings.php to 600 (-rw-------) such that only www-data user will have the read and write permission of the file
- run the Drupal installer.

Everything went smoothly and installer reported a successful install. So I went to my new Drupal site and got a lot of file permission errors which I suspected that Drupal cant access the settings.php. Sure enough, when i did a file listing in sites/default, i found out that the file permission of settings.php was changed to 037 or -----wxrwx . The Apache user has no read permission to the file. So I changed back the permission to 600 (-rw-------) and I can now access my new site and created the admin account. But when i went to Administer (?q=admin), I noticed that settings.php permission was changed again to 037 or -----wxrwx.

So I change ownership to a regular user and make the permission to 644 (-rw-r--r--) so that Drupal can't chmod it.

The reason I wanted www-data (apache user) to own settings.php and has the only read and write permissions to it, so that others cant view/read the file which contain my database password.

Is this a valid security loophole?

Comments

harry slaughter’s picture

harry slaughter
Location Omaha NE USA
commented

i ran the 5.0b1 installer process (for the first time).

the installer didn't touch permissions. initially it warned me that the web server did not have write perms, so i fixed that. after the install process, i was reminded to remove webserver write access.

I don't think this is a problem

sofiya’s picture

sofiya commented

who's the user_owner of your settings.php file?

methinks the problem exists if you change the file ownership to the apache user and make the permission rw only for that user.

Tim99’s picture

Tim99 commented

Don't know what I do wrong. I did not change any permissions by hand. Just downloaded Drupal5-beta1, unpacked it, uploaded it to the server, made my MySQL5 database and started the installer. When I want to visit my new page I get the above described error and can't change the permissions of settings.php.

The only thing I changed was to comment out the Apache check, as Apache 1.3 is required and my hoster uses a modified Apache which says he's an Apache 1.2. But Drupal 5 runs on this Apacha and my ISP says, it is in fact an Apache 1.3.

chx’s picture

chx commented
Status: Active » Closed (won't fix)

If you do not like me saying won't fix then consider this issue is a duplicate of http://drupal.org/node/99011