diff --git a/includes/install.core.inc b/includes/install.core.inc
index b18d23d213..9da9b0cce6 100644
--- a/includes/install.core.inc
+++ b/includes/install.core.inc
@@ -1505,10 +1505,23 @@ function install_configure_form($form, &$form_state, &$install_state) {
// especially out of place on the last page of the installer, where it would
// distract from the message that the Drupal installation has completed
// successfully.)
- if (empty($_POST) && (!drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_file, FILE_EXIST|FILE_READABLE|FILE_NOT_WRITABLE) || !drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_dir, FILE_NOT_WRITABLE, 'dir'))) {
- drupal_set_message(st('All necessary changes to %dir and %file have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the online handbook.', array('%dir' => $settings_dir, '%file' => $settings_file, '@handbook_url' => 'http://drupal.org/server-permissions')), 'warning');
+
+ $skip_permissions_hardening = variable_get('skip_permissions_hardening', FALSE);
+ // Allow system administrators to ignore permissions hardening for the site
+ // directory. This allows additional files in the site directory to be
+ // updated when they are managed in a version control system.
+
+ if (!$skip_permissions_hardening) {
+ if (empty($_POST) && (!drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_file, FILE_EXIST | FILE_READABLE | FILE_NOT_WRITABLE) || !drupal_verify_install_file(DRUPAL_ROOT . '/' . $settings_dir, FILE_NOT_WRITABLE, 'dir'))) {
+ drupal_set_message(st('All necessary changes to %dir and %file have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the online handbook.', array(
+ '%dir' => $settings_dir,
+ '%file' => $settings_file,
+ '@handbook_url' => 'http://drupal.org/server-permissions'
+ )), 'warning');
+ }
}
+
drupal_add_js(drupal_get_path('module', 'system') . '/system.js');
// Add JavaScript time zone detection.
drupal_add_js('misc/timezone.js');
diff --git a/modules/system/system.install b/modules/system/system.install
index 299668af24..d0457121f5 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -236,27 +236,43 @@ function system_requirements($phase) {
// Test settings.php file writability
if ($phase == 'runtime') {
- $conf_dir = drupal_verify_install_file(conf_path(), FILE_NOT_WRITABLE, 'dir');
- $conf_file = drupal_verify_install_file(conf_path() . '/settings.php', FILE_EXIST|FILE_READABLE|FILE_NOT_WRITABLE);
- if (!$conf_dir || !$conf_file) {
- $requirements['settings.php'] = array(
- 'value' => $t('Not protected'),
- 'severity' => REQUIREMENT_ERROR,
- 'description' => '',
- );
- if (!$conf_dir) {
- $requirements['settings.php']['description'] .= $t('The directory %file is not protected from modifications and poses a security risk. You must change the directory\'s permissions to be non-writable. ', array('%file' => conf_path()));
+ // Allow system administrators to ignore permissions hardening for the site
+ // directory. This allows additional files in the site directory to be
+ // updated when they are managed in a version control system.
+ $skip_permissions_hardening = variable_get('skip_permissions_hardening', FALSE);
+
+ if (!$skip_permissions_hardening) {
+ $conf_dir = drupal_verify_install_file(conf_path(), FILE_NOT_WRITABLE, 'dir');
+ $conf_file = drupal_verify_install_file(conf_path() . '/settings.php', FILE_EXIST | FILE_READABLE | FILE_NOT_WRITABLE);
+
+ if (!$conf_dir || !$conf_file) {
+ $requirements['settings.php'] = array(
+ 'value' => $t('Not protected'),
+ 'severity' => REQUIREMENT_ERROR,
+ 'description' => '',
+ );
+ if (!$conf_dir) {
+ $requirements['settings.php']['description'] .= $t('The directory %file is not protected from modifications and poses a security risk. You must change the directory\'s permissions to be non-writable. ', array('%file' => conf_path()));
+ }
+ if (!$conf_file) {
+ $requirements['settings.php']['description'] .= $t('The file %file is not protected from modifications and poses a security risk. You must change the file\'s permissions to be non-writable.', array('%file' => conf_path() . '/settings.php'));
+ }
}
- if (!$conf_file) {
- $requirements['settings.php']['description'] .= $t('The file %file is not protected from modifications and poses a security risk. You must change the file\'s permissions to be non-writable.', array('%file' => conf_path() . '/settings.php'));
+ else {
+ $requirements['settings.php'] = array(
+ 'value' => $t('Protected'),
+ );
}
+ $requirements['settings.php']['title'] = $t('Configuration file');
}
else {
$requirements['settings.php'] = array(
- 'value' => $t('Protected'),
+ 'title' => $t('Configuration file'),
+ 'value' => $t('Protection disabled'),
+ 'severity' => REQUIREMENT_WARNING,
+ 'description' => 'The protection is disabled by the setting "skip_permissions_hardening" in your settings.php.',
);
}
- $requirements['settings.php']['title'] = $t('Configuration file');
}
// Test the contents of the .htaccess files.
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 32a470d90a..edba704225 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -770,3 +770,15 @@ $conf['mail_display_name_site_name'] = TRUE;
* This functionality can be re-enabled by setting this variable to TRUE.
*/
# $conf['set_has_js_cookie'] = FALSE;
+
+/**
+ * Skip file system permissions hardening.
+ *
+ * The system module will periodically check the permissions of your site's
+ * site directory to ensure that it is not writable by the website user. For
+ * sites that are managed with a version control system, this can cause problems
+ * when files in that directory such as settings.php are updated, because the
+ * user pulling in the changes won't have permissions to modify files in the
+ * directory.
+ */
+# $conf['skip_permissions_hardening'] = TRUE;