I updated a few sites with the 7.24 security update today, replaced the htaccess files in my public and private directories. However, I am still getting a big fat error/warning message regarding a security risk for the /tmp directory. I cannot change nor do I have access to the /tmp directory... here is what my hosting company said...

"The /tmp is a directory on the server root, where user accounts have no read access. If the Drupal check tries to read a .htaccess file in that directory, it wouldn't be able to, even if we put one there. I expect that causes the warning. However, as we pointed out, web access is not possible to that directory, so there is no actual need for a .htaccess file to deny HTTP requests there."

I guess my questions are... why am I getting this error message? How do I get rid of it... is this an error in the update?

I've also included screenshots of the error message I am getting and my files system page.

Any help would be greatly appreciated.

CommentFileSizeAuthor
Screen Shot 2013-11-21 at 1.30.58 PM.jpg95.34 KBsteven_kropp
Screen Shot 2013-11-21 at 1.02.07 PM.jpg35.71 KBsteven_kropp

Comments

IreOke’s picture

IreOke commented

Same here, and worst with at-commerce adaptive theme I can't get access to my files directory... any ideas??

sonjaraydpc’s picture

sonjaraydpc commented

I am having the same problem. Cannot access the /tmp directory. I am using GoDaddy for hosting, I have a premium hosting account. When I put the recommended .htaccess file into the root directory of my site I cannot access my site. When I remove it I can access the site. I have the recommended .htaccess file in the sites/default/files directory and does not seem to affect getting to the site. Also all of my images are no longer displaying on my site.

sonjaraydpc’s picture

sonjaraydpc commented

Update to my comment above, I contacted GoDaddy and the /tmp directory does not exist on my hosting account. I am wondering if a fresh install of Drupal 7.24 would fix my issues?

ezcompute’s picture

ezcompute commented

I am also getting the error about /tmp directory to which I have no access.

naheemsays’s picture

naheemsays commented

Have you checked you are pointing to the correct location for the tmp directory?

Look in admin/config/media/file-system and if there is no trailing slas,=h, it wont be in the root of your linux partition. You can also set the tmp to a new destination from there - put it outside the root html folder, but it should remain read and writeable.

(If drupal couldn't write to it, aggregation of css/js would fail so chances are you are looking at the wrong tmp directory.)

sonjaraydpc’s picture

sonjaraydpc commented

I am looking in the correct place admin/config/media/file-system, the directory does not exist for my hosting account. I tried deleting /tmp from admin/config/media/file-system and Drupal does not delete it from the Temporary Directory field. I realized that all of my themes and downloaded modules are gone due to following the installation instructions for the security fix. I am going to remove my Drupal installation and start over with a clean install of 7.24. After reading this http://www.ostraining.com/blog/drupal/drupal-724-tmp-directory/?utm_sour..., I realize that my server is probably already secure and I may not have needed this fix.

David_Rothstein’s picture

David_Rothstein commented
Status: Active » Closed (duplicate)

Closing as a duplicate of #2141065: Incorrect warnings about insecure .htaccess file in /tmp directory from SA-CORE-2013-003; see that issue for details.

@sonjaraydpc:

When I put the recommended .htaccess file into the root directory of my site I cannot access my site.

You definitely should not be replacing the .htaccess file at the top of the Drupal installation; doing so will indeed break your site. Only change the ones mentioned in the security announcement (the ones in the various files directories).

I realized that all of my themes and downloaded modules are gone due to following the installation instructions for the security fix. I am going to remove my Drupal installation and start over with a clean install of 7.24.

You don't need to reinstall Drupal if you don't want; you should just remove the changes to the top-level .htaccess file you made above (and replace that with a fresh copy of the .htaccess file from the Drupal 7.24 download). That should fix the issue.

Then go and change the specific .htaccess files mentioned in the security announcement.

Hope that helps!

Johnxystus’s picture

Johnxystus commented

I use Avoid 404 7.x-1.0, Attachment Links 7.x-1.0 which works fine before upgrading to 7.24. After upgrading, all download links from the Attachment Links module are not working - can someone advice on this? Even after installing Download 7.x-2.4, the problems still remains

Ken_GoDaddy’s picture

Ken_GoDaddy commented

@steven_kropp

I'm with GoDaddy and came across your post.

Did @David_Rothstein's suggestion on replacing your .htaccess with the original from the Drupal 7.24 download work for you?

If you are still having issues feel free to reply or send me a private message.

sonjaraydpc’s picture

sonjaraydpc commented

@Ken_GoDaddy
The "./tmp" file exists outside the public_html folder that GoDaddy gives us for our hosting accounts. After reading all of the information posted on the patch for 7.24 I do not think the patch should have been rolled out to those of us who are getting our hosting through hosting companies with this setup or they should have taken this into consideration and allowed us a way to opt out of the "fix".

NOTE: just in case anyone else had this problem, I also realized after doing a clean install of 7.24 for my website that the "Deny from all" command in the .htaccess in /sites/default/files may have blocked my images from being displayed. After the clean install everything is back to normal.