Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
version: 0.4-beta2
Currently post provision-verify, it's possible to end up with a local.settings.php owned by aegir.aegir and with inappropriate permissions like 600. Obviously this would cause anything in local.settings.php to be ignored since the web server user can't read the file. Worse, you could end up with permissions like 666 which violate security best practices.
During site verification, if local.settings.php exists, it should be chgrp'd to the web server group and chmod'd 440.
Comment | File | Size | Author |
---|---|---|---|
#26 | local_settings_php_can-1066000-26.patch | 1.45 KB | helmo |
#19 | patch_commit_41bc971e9c1f.patch | 1.93 KB | omega8cc |
#18 | patch_commit_820d89fdfc0a.patch | 1.48 KB | omega8cc |
#17 | provision-1066000-file-local-settings-php.patch | 931 bytes | Steven Jones |
Comments
Comment #1
anarcat CreditAttribution: anarcat commentedI disagree - the local.settings.php is managed by the user, so the user should make sure the permissions are OK. Keep in mind that local.settings.php could be created with an ownership that would make aegir incapable of changing the mode (ie. if local.settings.php, which would seem to be a logical use for it), which would then make provision-verify fail.
I would rather leave this up to the user. No?
Comment #2
bwood CreditAttribution: bwood commentedMiguel encouraged me to post here: http://community.aegirproject.org/node/362
I can see your point, but from the server admin's perspective: Aegir demands a non-standard drupal site development process i.e. user can't write to settings.php. Work around is that the user writes to local.settings.php. Bad perms on local.settings.php could compromise security. I agree that the user should set correct perms, but I was thinking that, as is the case with settings.php on a site import (IIRC), Aegir could set correct group/perms on local.settings.php if it is able. I was imagining:
pseudo code:
I can continue to manage the permissions on this file externally to Aegir if you don't think this is doable/appropriate.
Comment #3
anarcat CreditAttribution: anarcat commentedI guess I see the point, thanks for updating this.
I am not sure I understand why people would have security-sensitive stuff in local.settings.php when the DB password is already in the settings.php, but I guess it can happen.
We can probably fix perms on verify, but note that if the user screws up the permissions when they edit the file, there's always going to be a window when the file will be vulnerable, so this may create a false sense of security..
Comment #4
crea CreditAttribution: crea commentedSubscribing
Comment #5
crea CreditAttribution: crea commentedI observe the following behavior: after migration local.settings.php group ownership resets from www-data to aegir, leading to webserver not being able to access the file, so local settings stop working after migration. I consider this a bug, not a feature
Comment #6
crea CreditAttribution: crea commentedWhat happens here: tar extracts files ignoring ownership, so group ownership resets to running user (aegir).
Would making tar keep ownership add any security risks ?
I.e. change to
$command = 'gunzip -c %s | tar --same-owner -p -x -f -';
Comment #7
crea CreditAttribution: crea commentedComment #8
crea CreditAttribution: crea commentedComment #9
crea CreditAttribution: crea commentedThe workaround is to set local.settings.php world-readable, but it adds security implications (you can't place secure credentials there, for example)
Comment #10
Robin Millette CreditAttribution: Robin Millette commentedsubbing
Comment #11
Steven Jones CreditAttribution: Steven Jones commentedWe have this happening on some aegir installs of ours, but not others. The local.settings.php becomes owned by aegir:aegir and so the web server can't read it, which screws things up nicely. Needs some investigation.
Comment #12
omega8cc CreditAttribution: omega8cc commentedI think it is rather docs candidate and admin's responsibility to create this file world-readable, as there are no passwords etc stored probably, so it doesn't matter if the file ownership will change.
However, I never experienced that, even for sites cloned/migrated - Aegir never touched this file for me and it was always moved as-is.
Comment #13
gmania CreditAttribution: gmania commentedSeeing this problem on our install as well. Particularly frustrating when permissions get changed while migrating a site and thus botching the whole genius of Aegir.
Setting world readable is not really an option, as this has security implications if things like API keys for external services (Facebook, AWS, etc) are stored in local.settings.php It seems to me to be the appropriate place to store stuff like that, but if anyone has any suggestions as to where to store that sort of info, I'm always open to ideas!
Comment #14
gmania CreditAttribution: gmania commentedHere's a quick fix:
Add the following code to a MYFILE.drush.inc file in /var/aegir/.drush
Tested and working with Apache.
If we're interested in updating Provision to include this code, should be as simple as adding this code somewhere in deploy.provision.inc
Comment #15
anarcat CreditAttribution: anarcat commentedI think this would make sense, *if* this will not fail if local.settings.php is absent or if aegir can't change the perms. Can you roll out a patch that would do that?
Thanks.
Comment #16
Steven Jones CreditAttribution: Steven Jones commentedSure.
Comment #17
Steven Jones CreditAttribution: Steven Jones commentedHere's a patch, doesn't try to do anything with the permissions, but keeps the group correct, so the end user is free to set the permissions as they need.
Comment #18
omega8cc CreditAttribution: omega8cc commentedOr we could create an empty
local.settings.php
file by default, with correct ownership/group and permissions and then always check/set them only infunction provision_drupal_drush_exit()
, so only once on successful verify. Note that attached example patch is for 6.x-2.xComment #19
omega8cc CreditAttribution: omega8cc commentedThe patch from #18 is designed to break the site, as it never sets correct
gid
when the file exists. Fixed patch for 6.x-2.x attached.Comment #20
Steven Jones CreditAttribution: Steven Jones commentedThanks for the patch, but I think that we should make sure that the permissions are at least enough to not cause any errors, but we shouldn't force the permissions to 0440 unless we have good reason to?
Comment #21
helmo CreditAttribution: helmo commentedsettings.php gets 0440.
As that was done as a security measure why not for local.settings.php as well?
The reason against making it read-only it is convenience ... ?
Comment #22
Steven Jones CreditAttribution: Steven Jones commentedWell, local.settings.php is supposed to not really be managed by Aegir at all, it's just for people to pop their special config in anyway. So we should aim to ensure that it has the permissions that we need at least, but we shouldn't then start taking whatever permissions it has away if people have set them like that.
Comment #23
SocialNicheGuru CreditAttribution: SocialNicheGuru commentedthanks. this is nice.
I agree that having it be the same settings as settings.php is a good idea. As an admin if I want to go in and edit, I just need to take the extra step.
Up until now I have constantly had to go in and do the chown/chmod dance. Thanks for this patch.
Comment #24
helmo CreditAttribution: helmo commentedStill applies to 7.x-3.x and still sounds reasonable to add... Any objections left?
Comment #25
SocialNicheGuru CreditAttribution: SocialNicheGuru commentedthe patch works for me
Comment #26
helmo CreditAttribution: helmo at Initfour websolutions commentedThe chmod and chgrp part was identical between the if and else blocks... so this new patch simplifies it a bit.
Committing.
Comment #28
helmo CreditAttribution: helmo at Initfour websolutions commented