(this is based on some previous conversation, apologies if I skip some background information)
Backup and Migrate is a great tool in a lot of ways, but on a production environment it can currently be used for a lot of malicious things in a short amount of time: downloading a full db backup, uploading a new set of files/database code which might break the whole site, etc. It would be nice to provide ways limit that functionality though these settings, by nature, can't be in the UI and probably shouldn't be (they would be overly complex for 90% of the module's users).
Of course if someone has access to BAM they can probably also administer modules and other such things which would let them do malicious things in other ways - the idea here is *not* that disabling the BAM UI makes Drupal perfectly secure, it's just that it would require more work for someone to achieve actions which BAM makes trivial.
Comment | File | Size | Author |
---|---|---|---|
#14 | backup_migrate-n1359384-14.patch | 9.07 KB | BrankoC |
#8 | backup_migrate-n1359384-8-d7.patch | 8.75 KB | DamienMcKenna |
Comments
Comment #1
couturier CreditAttribution: couturier as a volunteer commentedI'm not sure that this is still an issue in the 7.x-3.x branch. The 7.x-2.x branch will be deprecated soon. See this issue: Verify 7.x-2.x -to- 7.x-3.x upgrade path, mark 7.x-2.x as unsupported.
Comment #2
gregglesThe idea was to make a way to disable the UI in production, e.g. something in settings.php so the scenario works like this:
* admin installs BAM and configures it including a scheduled backup
* admin modifies their settings.php to disable the BAM admin UI
* if an attacker is able to login to the site now the attacker cannot modify the BAM settings to send the db backup to the attacker
I believe this is relevant for the 7.x-3.x and the 8.x branches, so moving it forward based on that belief.
Comment #3
couturier CreditAttribution: couturier as a volunteer commentedIf it is relevant to 8.x, then by all means let's move it there. All current development is taking place in the D8 port, and resources are very limited for this module right now.
Comment #4
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedI agree with @greggles on this one and it might even worth backporting it. Patches welcome as always :)
Comment #5
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedComment #6
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedWondering if #2135827: The Download method should be related to the role permissions mitigates this in any way ? That's been recently fixed and will be pushed in the next release.
Comment #7
couturier CreditAttribution: couturier as a volunteer commented@Alex Andrascu This is a problem with both the 7.x-3.x and 8.x-4.x branch, that it appears @ronan has done some code changes in dev that weren't always seen in the issues, so that's why I've repeatedly asked reporters of the older issues to confirm that the problems still exist with your latest releases. This way we can find out what has been fixed and what hasn't. Also as you point out, some of the fixes that are marked as finished have already helped related issues.
Comment #8
DamienMcKennaMaybe something like this? It's untested, but it gives you a general idea of one possible solution.
Comment #9
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedThis looks pretty solid to me. Can you please test the 7.x version and we'll look into the 8.x one ?
Comment #10
DamienMcKennaWe need a test to make sure it works as intended.
Comment #11
Alex Andrascu CreditAttribution: Alex Andrascu at Intellix commentedWe’re working on it. Should be in by early next week.
Later edit... just realised this is for 7.x. We are working on tests for 8.x ...
Comment #12
DamienMcKenna@Alex: No worries, I don't mean to put extra pressure on you, I just think that something with security implications definitely should have tests before it's committed. I'll see if I can throw something together soon (if someone doesn't beat me to it).
Comment #13
DamienMcKennaComment #14
BrankoC CreditAttribution: BrankoC as a volunteer commentedA reroll of #8.
I haven't provided an interdiff, because I could not apply #8.
I added a bit to the documentation about clearing the menu cache.
I tried to create a test for this patch, but failed because 1) I don't know how to override variable overrides; and 2) I am not sure which settings file the testing module uses in the first place.
I had this so far: