Currently allow_authorize_operations defaults to TRUE. This allows users to download code into their site. This functionality should be specifically enabled so if a site is compromised the attacker can't install arbitrary modules.

This issue came out of a conversation on twitter - https://twitter.com/skwashd/status/362541343911854081

I have lost track of Drupal 8, so I'm filing this against D7 with a patch. I know it will need to be implemented in D8 first.

Patch coming right up.

Here's the documentation on the killswitch:

/**
* Authorized file system operations:
*
* The Update manager module included with Drupal provides a mechanism for
* site administrators to securely install missing updates for the site
* directly through the web user interface by providing either SSH or FTP
* credentials. This allows the site to update the new files as the user who
* owns all the Drupal files, instead of as the user the webserver is running
* as. However, some sites might wish to disable this functionality, and only
* update the code directly via SSH or FTP themselves. This setting completely
* disables all functionality related to these authorized file operations.
*
* Remove the leading hash signs to disable.
*/
# $conf['allow_authorize_operations'] = FALSE;

CommentFileSizeAuthor
#3 update-default-allow_authorize_operations-false-2055185.patch1.92 KBtimmillwood
#1 2055185-default-allow_authorize_operations-false.patch2.45 KBskwashd
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

skwashd’s picture

skwashd CreditAttribution: skwashd commented
FileSize
2055185-default-allow_authorize_operations-false.patch2.45 KB

Here is the patch.

skwashd’s picture

skwashd CreditAttribution: skwashd commented
Status: Active » Needs review

Fix status

timmillwood’s picture

timmillwood
Primary language English
Location 🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK
CreditAttribution: timmillwood commented
Version: 7.x-dev » 8.x-dev
FileSize
update-default-allow_authorize_operations-false-2055185.patch1.92 KB

Here's a Drupal 8 version of the patch.

chx’s picture

chx CreditAttribution: chx commented
Status: Needs review » Reviewed & tested by the community

That makes a lot of sense.

timmillwood’s picture

timmillwood
Primary language English
Location 🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK
CreditAttribution: timmillwood commented

Once committed to D8 would it be a good idea to backport to D7 with skwashd's patch? To me this sounds like a good fit for a D7 security update.

skwashd’s picture

skwashd CreditAttribution: skwashd commented
Status: Reviewed & tested by the community » Needs review

@chx's RTBC was for my patch. Putting back to needs review for Tim's patch.

chx’s picture

chx CreditAttribution: chx commented
Status: Needs review » Reviewed & tested by the community

I have reviewed Tim's patch and I RTBC'd it. I am not sure where the confusion is from.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Needs review

This seems to remove one of the most useful features we added in D7, and one whose very target audience are people who are not technical enough to edit settings.php by hand to restore its functionality.

Is there some kind of specific vulnerability that can be done with update.module? I'd rather harden it another way that doesn't destroy usability.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Title: Change the default for allow_authorize_operations to FALSE » Change the default for allow_authorize_operations to FALSE (disable the ability to download modules/themes from UI by default)
Issue tags: +Usability

Fixing title.

timmillwood’s picture

timmillwood
Primary language English
Location 🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK
CreditAttribution: timmillwood commented

Webchick,

I think the risk here is unsafe modules (such as PHP Filter when it moved to contrib) being installed by people who have managed to get access to the admin interface. Thankfully many of the big name hosts have a read-only codebase and force code to be committed via a version control system, but many don't.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented

The flip-side is people not bothering to update their modules to secure versions because it's an incredible pain in the ass. It was reps from the security team who added this feature in the first place for that reason.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented

Also, my normal way of using this is to run update status on localhost, then check the updated code into Git, then deploy that to prod. Don't assume that this really useful feature precludes the use of version control and other best practices.

Status: Needs review » Needs work

The last submitted patch, update-default-allow_authorize_operations-false-2055185.patch, failed testing.

timmillwood’s picture

timmillwood
Primary language English
Location 🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK
CreditAttribution: timmillwood commented

oooh looks like have tests that depend on this being enabled.

/me goes to work out how to do a variable_set() (or whatever the new version is) in a test.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

q11q11’s picture

q11q11 CreditAttribution: q11q11 as a volunteer commented
Issue summary: View changes

Just spent half a day figuring out why I'm getting "access denied" at /admin/modules/update as user/1, only to face that I have

$settings['allow_authorize_operations'] = FALSE;

in settings.php

So... I suppose forcing this to FALSE by default will give "access denied" at /admin/modules/update even for user/1, w/o any other checks.
And the only way to gain access back will explicitly be

$settings['allow_authorize_operations'] = TRUE;

in settings.php.

Or to make some other way of access check in ./core/modules/update/src/Access/UpdateManagerAccessCheck.php in access() method.

Anybody’s picture

Anybody
Primary language German
Location Porta Westfalica
CreditAttribution: Anybody as a volunteer and at DROWL.de commented
Title: Change the default for allow_authorize_operations to FALSE (disable the ability to download modules/themes from UI by default) » Change the default for allow_authorize_operations to FALSE (disable the ability to download modules/themes from UI by default) and show reason on access denied
Version: 8.9.x-dev » 9.3.x-dev
Issue summary: View changes

Confirming #23... same here! -.-

Finding out why access is denied to the update.module pages, while 'administer software updates' was given, drove me bonkers and is a situation which shouldn't be kept this way!
As a developer I had a chance to find this, but non-developer users will cry...

Current behavior (TL;DR):

If "allow_authorize_operations" is set FALSE in settings.php

$settings['allow_authorize_operations'] = FALSE;
  • all routes using _access_update_manager: 'TRUE' (see below) are affected and return ACCESS DENIED
  • no reason for the access denied is given
  • 'administer software updates' permission doesn't affect anything
  • menu items linking these ACCESS DENIED pages are still visible

So you're left alone in the dark with the ACCES DENIED message!

Expected behavior

At least show a message for users with 'administer software updates' on the affected routes which tells them that this setting is set to TRUE and results in ACCESS DENIED and link it to a documentation page.

Also add documentation to the settings.php comment which tells the administrator that these pages can't be accessed anymore if the setting is TRUE.

Relation and relevance for this issue

When changing the value to TRUE by default, as requested here, the situation will be worse as all new Drupal installations are affected!
So I'd see a fix for that as a precondition to change the value to TRUE by default.

Affected routes

These are the pages from update.routing.yml affected by UpdateManagerAccessCheck and 'allow_authorize_operations' setting:

update.report_install:
  path: '/admin/reports/updates/install'
  defaults:
    _form: '\Drupal\update\Form\UpdateManagerInstall'
    _title: 'Add new module or theme'
  requirements:
    _permission: 'administer software updates'
    _access_update_manager: 'TRUE'

update.report_update:
  path: '/admin/reports/updates/update'
  defaults:
    _form: '\Drupal\update\Form\UpdateManagerUpdate'
    _title: 'Update'
  requirements:
    _permission: 'administer software updates'
    _access_update_manager: 'TRUE'

update.module_install:
  path: '/admin/modules/install'
  defaults:
    _form: '\Drupal\update\Form\UpdateManagerInstall'
    _title: 'Add new module'
  requirements:
    _permission: 'administer software updates'
    _access_update_manager: 'TRUE'

update.module_update:
  path: '/admin/modules/update'
  defaults:
    _form: '\Drupal\update\Form\UpdateManagerUpdate'
    _title: 'Update'
  requirements:
    _permission: 'administer software updates'
    _access_update_manager: 'TRUE'

update.theme_install:
  path: '/admin/theme/install'
  defaults:
    _form: '\Drupal\update\Form\UpdateManagerInstall'
    _title: 'Add new theme'
  requirements:
    _permission: 'administer software updates'
    _access_update_manager: 'TRUE'

update.theme_update:
  path: '/admin/theme/update'
  defaults:
    _form: '\Drupal\update\Form\UpdateManagerUpdate'
    _title: 'Update'
  requirements:
    _permission: 'administer software updates'
    _access_update_manager: 'TRUE'

update.confirmation_page:
  path: '/admin/update/ready'
  defaults:
    _form: '\Drupal\update\Form\UpdateReady'
    _title: 'Ready to update'
  requirements:
    _permission: 'administer software updates'
    _access_update_manager: 'TRUE'

Should we split these issues or keep them together?

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

galactus86’s picture

galactus86 CreditAttribution: galactus86 as a volunteer and at Mediacurrent commented

I just ran into this randomly myself. It definitely would benefit from a better warning message, at minimum.

dww’s picture

dww
we/he/they
CreditAttribution: dww at TEN7 commented
Title: Change the default for allow_authorize_operations to FALSE (disable the ability to download modules/themes from UI by default) and show reason on access denied » If allow_authorize_operations is FALSE, print a better error about it on Update Manager routes

Until the Auto Update Initiative is done, there's no way we're going to change the default for this killswitch. The target audience of the Update Manager are non-technical users who are the least likely to go hacking around in settings.php to figure this out and opt-in. The whole thing was built to help those people keep their sites more up to date. Having it default to FALSE would completely remove what value it provides by turning it off for exactly the group it was designed to serve.

However, I agree that when the setting is FALSE, the error messages could be more helpful than a generic 403. Giving this a better title/scope to reflect what could happen here.

Thanks,
-Derek

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.