Currently allow_authorize_operations defaults to TRUE. This allows users to download code into their site. This functionality should be specifically enabled so if a site is compromised the attacker can't install arbitrary modules.
This issue came out of a conversation on twitter - https://twitter.com/skwashd/status/362541343911854081
I have lost track of Drupal 8, so I'm filing this against D7 with a patch. I know it will need to be implemented in D8 first.
Patch coming right up.
Here's the documentation on the killswitch:
/**
* Authorized file system operations:
*
* The Update manager module included with Drupal provides a mechanism for
* site administrators to securely install missing updates for the site
* directly through the web user interface by providing either SSH or FTP
* credentials. This allows the site to update the new files as the user who
* owns all the Drupal files, instead of as the user the webserver is running
* as. However, some sites might wish to disable this functionality, and only
* update the code directly via SSH or FTP themselves. This setting completely
* disables all functionality related to these authorized file operations.
*
* Remove the leading hash signs to disable.
*/
# $conf['allow_authorize_operations'] = FALSE;
Comment | File | Size | Author |
---|---|---|---|
#3 | update-default-allow_authorize_operations-false-2055185.patch | 1.92 KB | timmillwood |
#1 | 2055185-default-allow_authorize_operations-false.patch | 2.45 KB | skwashd |
Comments
Comment #1
skwashd CreditAttribution: skwashd commentedHere is the patch.
Comment #2
skwashd CreditAttribution: skwashd commentedFix status
Comment #3
timmillwoodHere's a Drupal 8 version of the patch.
Comment #4
chx CreditAttribution: chx commentedThat makes a lot of sense.
Comment #5
timmillwoodOnce committed to D8 would it be a good idea to backport to D7 with skwashd's patch? To me this sounds like a good fit for a D7 security update.
Comment #6
skwashd CreditAttribution: skwashd commented@chx's RTBC was for my patch. Putting back to needs review for Tim's patch.
Comment #7
chx CreditAttribution: chx commentedI have reviewed Tim's patch and I RTBC'd it. I am not sure where the confusion is from.
Comment #8
webchickThis seems to remove one of the most useful features we added in D7, and one whose very target audience are people who are not technical enough to edit settings.php by hand to restore its functionality.
Is there some kind of specific vulnerability that can be done with update.module? I'd rather harden it another way that doesn't destroy usability.
Comment #9
webchickFixing title.
Comment #10
timmillwoodWebchick,
I think the risk here is unsafe modules (such as PHP Filter when it moved to contrib) being installed by people who have managed to get access to the admin interface. Thankfully many of the big name hosts have a read-only codebase and force code to be committed via a version control system, but many don't.
Comment #11
webchickThe flip-side is people not bothering to update their modules to secure versions because it's an incredible pain in the ass. It was reps from the security team who added this feature in the first place for that reason.
Comment #12
webchickAlso, my normal way of using this is to run update status on localhost, then check the updated code into Git, then deploy that to prod. Don't assume that this really useful feature precludes the use of version control and other best practices.
Comment #14
timmillwoodoooh looks like have tests that depend on this being enabled.
/me goes to work out how to do a variable_set() (or whatever the new version is) in a test.
Comment #23
q11q11 CreditAttribution: q11q11 as a volunteer commentedJust spent half a day figuring out why I'm getting "access denied" at /admin/modules/update as user/1, only to face that I have
in settings.php
So... I suppose forcing this to FALSE by default will give "access denied" at /admin/modules/update even for user/1, w/o any other checks.
And the only way to gain access back will explicitly be
in settings.php.
Or to make some other way of access check in ./core/modules/update/src/Access/UpdateManagerAccessCheck.php in access() method.
Comment #24
AnybodyConfirming #23... same here! -.-
Finding out why access is denied to the update.module pages, while 'administer software updates' was given, drove me bonkers and is a situation which shouldn't be kept this way!
As a developer I had a chance to find this, but non-developer users will cry...
Current behavior (TL;DR):
If "allow_authorize_operations" is set FALSE in settings.php
_access_update_manager: 'TRUE'
(see below) are affected and return ACCESS DENIEDSo you're left alone in the dark with the ACCES DENIED message!
Expected behavior
At least show a message for users with 'administer software updates' on the affected routes which tells them that this setting is set to TRUE and results in ACCESS DENIED and link it to a documentation page.
Also add documentation to the settings.php comment which tells the administrator that these pages can't be accessed anymore if the setting is TRUE.
Relation and relevance for this issue
When changing the value to TRUE by default, as requested here, the situation will be worse as all new Drupal installations are affected!
So I'd see a fix for that as a precondition to change the value to TRUE by default.
Affected routes
These are the pages from update.routing.yml affected by UpdateManagerAccessCheck and 'allow_authorize_operations' setting:
Should we split these issues or keep them together?
Comment #26
galactus86 CreditAttribution: galactus86 as a volunteer and at Mediacurrent commentedI just ran into this randomly myself. It definitely would benefit from a better warning message, at minimum.
Comment #27
dwwUntil the Auto Update Initiative is done, there's no way we're going to change the default for this killswitch. The target audience of the Update Manager are non-technical users who are the least likely to go hacking around in settings.php to figure this out and opt-in. The whole thing was built to help those people keep their sites more up to date. Having it default to FALSE would completely remove what value it provides by turning it off for exactly the group it was designed to serve.
However, I agree that when the setting is FALSE, the error messages could be more helpful than a generic 403. Giving this a better title/scope to reflect what could happen here.
Thanks,
-Derek