Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This is bad behavior, as evidenced by this: http://drupal.org/node/87298#comment-158317
Instead, settings.php should be renamed to some default settings.php that can be read by the system.
When the install module modifies settings.php, it should instead copy this to a user owned settings.php and *that* file should be modified.
One reason that this is marked critical is that if a user goes to update a site, and has settings in settings.php, when they copy files over their settings.php will be LOST.
Files distributed with the tarball should not be modified by Drupal for this reason.
Comment | File | Size | Author |
---|---|---|---|
#43 | fix_sites_3.patch | 3.92 KB | merlinofchaos |
#42 | fix_sites_2.patch | 3.92 KB | merlinofchaos |
#41 | fix_sites_1.patch | 3.93 KB | merlinofchaos |
#40 | fix_sites_0.patch | 2.12 KB | merlinofchaos |
#30 | fix_sites.patch | 1.95 KB | merlinofchaos |
Comments
Comment #1
webchickI assume this should be for 5.x, since 4.7.x doesn't have install.php.
Comment #2
merlinofchaos CreditAttribution: merlinofchaos commentedWhoops. Yes. Forgot to set the version and got the default.
Comment #3
robertDouglass CreditAttribution: robertDouglass commentedI agree with merlinofchaos' analysis, and would most like to see it go one step further and ask you what domain you'd like to access the new site under and create the appropriate folder in sites for that domain.
Comment #4
hunmonk CreditAttribution: hunmonk commenteda big +1 for robert's further refined suggestion above--i think that would be a much more refined implementation than we have now, and probably not that hard to implement.
Comment #5
webchickHm. Except...
I usually set sites up on localhost, initially. Then move them to wherever. If I re-run install.php, does it create the settings file, even though the db tables already exist? Or does it error out saying "Drupal is already installed"?
Comment #6
webchickOh well cool. Looks like it does!
In that case, HUGE +1 for sites/whatever.com. How many times have we had to re-roll patches because sites/default/settings.php got overridden? ;)
If we do choose to add a UI element for this though, it should be under the "Advanced options" fieldset and should be pre-populated with the derived base URL.
Comment #7
webchickLet's try this... may need work though because:
a) I don't know how platform-independent $_SERVER['HTTP_HOST'] is.
b) I only tested it on my own localhost server.
Comment #8
chx CreditAttribution: chx commentedUh huh. Not so fast.
It's not impossible I left out a few things. But most importantly, given the number and the scope of changes and how installer indeed works at this time I deem this a feature request. How has this become a critical issue? A critical issue is when something is fundamentally broken, say node previews do not work.
settings.php overwrites were always possible , if you have special
$conf
then you will take care of it, if not, it's a matter of seconds recreating a $db_url. Do not go overboard, please.Comment #9
ontwerpwerk CreditAttribution: ontwerpwerk commentedHow about if drupal ships with an example.com/settings.php instead of a default/settings.php
nobody will host example.com ( http://www.rfc-editor.org/rfc/rfc2606.txt ) so nobody will accidentally overwrite the settings for their own site when they update by ftp or run install.php etc.
Comment #10
merlinofchaos CreditAttribution: merlinofchaos commentedUh, chx -- this should be critical because upgrading from 5.0 to 5.1 when it comes out will
BREAK YOUR SITE. Badly.
Comment #11
merlinofchaos CreditAttribution: merlinofchaos commentedI'm setting this back to active and critical for the current version.
I believe that things as they are now will become a usability issue, especially when we release Drupal 5.1 as we undoubtedly will, and users go to upgrade.
Users who installed through the new install system will be *unaware* of the settings.php file because they never had to deal with it. When going through the update process, they run a substantial risk of overwriting their settings.php with no ability to retrieve this information.
At a minimum, I believe we need a documentation fix to UPGRADE.txt to explain this situation very carefully, but we should also consider other alternatives that will make the updating problem be less of a hassle. As it is now, when 5.1 rolls out I would expect a LOT of angry forum posts about settings disappearing and people not knowing how to deal with it. Yes much of it will be their error for not backing up or reading the documentation well enough, but I believe we can do better than that.
My current proposal, which I think is the least disruptive is the following:
1) We move default/settings.php to example.com/settings.php -- we assume nobody is running example.com
2) The installer then copies example.com/settings.php to default/settings.php
3) The bootstrap will automatically go to the installer if no settings.php can be found.
I realize this may constitute a minor change in functionality, but I believe this problem is important. Usability is a key issue. Ideally the patch that does this will be *very* short and use already proven means. Since this affects the installation portion only it should be very easy to test that it will not affect the existing infrastructure.
Comment #12
pcwick CreditAttribution: pcwick commentedmfer has been making some updates to UPGRADE.txt here:
http://drupal.org/node/102011
Comment #13
ontwerpwerk CreditAttribution: ontwerpwerk commenteda simple note: we not only assume nobody is running example.com, we know nobody is running that domain.
example.com is a reserved domain that does not exist in real dns servers (see the rfc I mentioned above), and nobody will run it, unless they are in an intranet that has their own *.com space (but then all bets are off anyway and we must assume there is a network admin who knows what he's doing)
Comment #14
mfer CreditAttribution: mfer commented@merlinofchaos - over at http://drupal.org/node/102011 the proposed UPGRADE.txt file makes a point saying not just to backup but to backup the settings.php file and where to find it is both a single site and multisite setup. Does this work for your comments in #11?
Comment #15
Steven CreditAttribution: Steven commentedThe amount of variables involved in implementing this feature means it is not going to happen for 5.0. It is simply too risky to change the installation process now. It is not just a matter of getting file system permissions right, but verifying whether this is a workable approach on the average host and updating all the installation documentation.
However, since 5.0, this is really no longer a critical problem, but merely an inconvenience. We already told the user to edit settings.php in the default dir before, in 4.7.
Here's what happens in 5.0:
- User installs Drupal 5.0, lets install.php alter sites/default/settings.php.
- User runs their site.
- User extracts Drupal 5.1, overwriting sites/default/settings.php back to the default.
- Drupal detects a default db_url string and redirects to install.php.
- After entering the db information again and writing it into settings.php, Drupal detects that it has already been installed, and will tell the user, aborting the installation process. It will also offer the option of going to update.php.
As for having to re-roll patches during development, I find it trivial to use sites/localhost instead of sites/default. As long as you do it once at the beginning, there is never any problem (unless you don't re-use CVS trees). We should not delay 5.0 just because some developers are inconvenienced by this.
Comment #16
merlinofchaos CreditAttribution: merlinofchaos commentedOk, it's high time this was done for Drupal 6, and done early enough to have a chance to make it in.
The changes are minimal, and good:
1) Drupal now ships without a default settings.php at all.
2) If Drupal can't find a settings.php, it goes straight to the installer, it does not pass go, nor does it collect two hundred dollars.
3) There is no more reliance on 'username:password' to see if we're on the default settings.php.
4) We'll never see settings.php checked in with a changed username:password again.
Comment #17
Dries CreditAttribution: Dries commentedThis patch looks straightforward and simple to me. I haven't tested the patch, but I've no comments on the coding style. I think this is good to go after some testing.
Comment #18
Stefan Nagtegaal CreditAttribution: Stefan Nagtegaal commentedTesting within a couple of minutes.... :-)
Comment #19
merlinofchaos CreditAttribution: merlinofchaos commentedThis patch is exactly the same functionality but includes CHANGELOG.txt update
Comment #20
merlinofchaos CreditAttribution: merlinofchaos commentedNote: this patch doesn't create a new directory, it puts settings.php in sites/default as always -- the focus of this patch is to prevent self-modifying a file that ships with Drupal.
Comment #21
webchickI love the removal of all those cheesy hacks for checking for the default db string. I also love that a pristine copy of the settings file will always be present, in case you totally hose something on your site and need to revert, or need to see the differences during an update. And of course, the number of hours that have been lost by various testers, core committers, etc. encountering patches with settings.php in them is reason enough to commit this. ;)
I tested the following conditions:
- Variety of error stuff on the main db page: leaving fields blank, invalid credentials, etc.
- Pointing the installer to a pre-existing database; it still caught this fine.
- Doing a normal install, which worked properly.
- 'databasename' database with user 'username' and pass 'password' on host 'localhost'... while I couldn't get this to work (probably messed I something up), merlin confirmed that it worked for him, which means all our code checking for this has been eliminated.
Marking RTBC.
Comment #22
HedgeMage CreditAttribution: HedgeMage commentedLooks good here, too. I don't have much to add to webchick's evaluation other than "database" "username" "password" works fine for me.
Comment #23
Stefan Nagtegaal CreditAttribution: Stefan Nagtegaal commentedI have tested the patch and can verify that it works very nicely..
Noticed no (new) errors or mis-behaviour..
IMO rtbc.
Comment #24
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks folks! :)
Comment #25
Gábor HojtsyGrm, this broken Drupal 6.x-dev for me, because it cannot open "settings.php" for writing in the folder it wants to. Seems like writability checking is not there. After I provide my DB detailes, I get:
By looking at the code, this is evidently the place (install.inc:228) where the settings file is tried to be written out to the new location.
Comment #26
merlinofchaos CreditAttribution: merlinofchaos commentedHmmm that's interesting. I specifically check for writability to the conf_dir folder:
And this worked for me -- I tested it!
What did I miss?
Comment #27
merlinofchaos CreditAttribution: merlinofchaos commentedGoba, check to see if adding |FILE_EXECUTABLE to the second 'dir' check fixes the problem?
Comment #28
Gábor HojtsyTypos! By looking at the code and putting testing debug messages to some places, it turned out that $mask does not include the FILE_WRITABLE bit. That is because you try to use it as FILE_WRITEABLE (note the extra E) there. If the two constant names are fixed in install.php, the check is fixed.
Already comitted a fix to Drupal core to replace all "writeable" to "writable".
Comment #29
Gábor HojtsyErm, also noticed that now all works fine, but the sites/default folder is left wide open for writing, which allows anyone to place files there (like in the file uploads folder). This is unwanted, and insecure. Drupal should check if it can revoke permissions from there, just like it revokes permission from the settings file. If it is not able to revoke, both the install complete screen and the "site status" page in Drupal should provide a line about the directory left world-writable. This is important security-wise. (I will not work on a fix, but change to the installer form patch instead).
Comment #30
merlinofchaos CreditAttribution: merlinofchaos commentedSimple fix to check both the directory and the file.
Comment #31
Gábor HojtsyWe need the Drupal status page to report the permission problem if not possible to fix automatically, just like it reports the settings.php permission problem if detected.
Comment #32
merlinofchaos CreditAttribution: merlinofchaos commentedWe need the Drupal status page to report the permission problem if not possible to fix automatically, just like it reports the settings.php permission problem if detected.
It does. It only uses one message if either file fails to be fixable and lists both files (I figured there was a very, very high likelihood that if one file can't be fixed neither can the other, and two messages would be clumsy looking).
Comment #33
merlinofchaos CreditAttribution: merlinofchaos commentedComment #34
pwolanin CreditAttribution: pwolanin commentedI agree that checking the directory permission status is critical.
Also, this new install process does not seems to be described or explained in INSTALL.txt
I think this new process will create some problems since the settings.php file will often not be owned by the user's account, but by the webserver account. Is the update system going to have a mechanism for replacing settings.php (e.g. the user has to set the direcetory back to writable)?
Comment #35
Gábor Hojtsy@pwolanin, the update system never touched settings.php as far as I remember. Why would that be required now? (I understand that settings.php might not be possible to edit for the user, being owned by the webserver user, that is a clear limitation of the current system). Added a documentation issue here to update the install.txt (it contains two other related updates, so this is why I have the separate issue): http://drupal.org/node/144256
@merlinofchaos: The problem is that even after I apply your latest patch, I get a green line that my config file is protected on the ?q=admin/logs/status page. But the sites/default directory is wide open for writing. A fix for this is what I miss from the patch to close the circle (I already posted a patch against INSTALL.txt as noted above).
Comment #36
BioALIEN CreditAttribution: BioALIEN commentedGuys, sorry to arrive so late into this. But wouldn't the following be more ideal?
It would be better to get rid of the /default/ directory and have something like this in place:
Overall, it makes for nicer tree. Also since variables in the "default" settings.php applies to "all" sites. Correct me if I'm missing the point :)
Comment #37
pwolanin CreditAttribution: pwolanin commentedAs far as I can tell, there is still not a check in the system status that the sites/default (or whichever) directory is not writable. This seems to be a significant security hole.
Comment #38
Gábor HojtsyBioALIEN: the default site settings are not used when you have specific sites folders, 'all' is very different from 'default'.
pwolanin: We are awiting merlinofchaos pushing a patch in to fix the hole.
Comment #39
merlinofchaos CreditAttribution: merlinofchaos commentedGoba, in #30 I'd posted a patch to address this. As near as I can tell, that patch was completely ignored.
Now it doesn't apply. Why have people been yelling about this and ignoring the patch I posted?
Comment #40
merlinofchaos CreditAttribution: merlinofchaos commentedHere is a reroll of the patch. I'm realizing that what Goba was talking about is the hook_requirements check, but that should NOT have prevented this much more critical fix from being committed.
Comment #41
merlinofchaos CreditAttribution: merlinofchaos commentedThis one fixes the hook_requirements in system.install to check the directory as well.
Comment #42
merlinofchaos CreditAttribution: merlinofchaos commentedRerolled for text update on pwolanin's suggestion
Comment #43
merlinofchaos CreditAttribution: merlinofchaos commentedEr. Except I grabbed the wrong patch.
Comment #44
pwolanin CreditAttribution: pwolanin commentedjust tested fix_sites_3.patch on 2 systems:
on a system with php running with suexec (so running as my account), both sites/default and sites/default/settings.php are changed to non-writable. If I change them to writable, they are set to non-writable any time I visit /admin or /admin/logs/status. this workes fine at /sites/example.com as well.
on a system with php running as Apache (user www), sites/default/settings.php is set to 444, and owned by www. /sites/default is left as 777, but I get the warning at the end of the install page, and it shows up as an error on the system status page. Changing sites/default to 555 clears the error.
For this latter system, error on system status page also works as expected if I move settings.php to sites/example.com and change the permissions of either settings.php or the directory.
code changes are minor and reasonable.
Comment #45
BioALIEN CreditAttribution: BioALIEN commentedI'm happy with pwolanin's feedback, so long as changing the permissions avoids creating problems with umasks (http://drupal.org/node/116041).
Comment #46
Gábor HojtsyMerlionfchaos: instead of "completely ignoring" you, we pointed out that the patch you posted in #30 is not adequate to inform users about security problems, and as such does not fulfill your intended goal, so it was basically not ready for committing. I am glad you provided a complete fix now, which looks logical and is even tested, so I committed it. Thanks for the patch.
Comment #47
merlinofchaos CreditAttribution: merlinofchaos commentedGoba;
What you asked for was a cosmetic fix, and to be honest, I simply didn't realize you were talking about something that, in my mind is completely different from what I was fixing.
The patch I submitted should not have been held up for that. It was perfectly adequate for what it was doing. Yes, maybe I was thickheaded for not realizing you were talking about the status page, but I hadn't remembered there was even a check for that on the status page. I was fixing install.php, and I did fix that, and the patch got rejected because it didn't fix system.install.
It doesn't help that all of this has been as a followup to the issue, when it really should have been its own issue, where what was actually wrong could have been better documented.
It also doesn't help that for some reason everyone felt I was the only person who could fix this. It was a freaking cosmetic fix. It's no wonder that so many people are afraid to submit patches for Drupal.
Comment #48
Gábor HojtsyWell, you have probably seen people installing with "Next, Next, Yes, I agree, Done, let me use it *now*" way... No matter what strong warning you put into the installer, it will not be effective if not coupled with warnings on the runtime system nagging the admin to actually fix the problem. People easily and quickly click through the installer. I think both the installer and runtime check functionality should have been *in the original patch*, even not in follow up patches, especially not in separate issues. The installer changes and the runtime notification changes are so close that they are almost copy-paste of each other (the messages differ a little bit).
Anyone could have provided this fix, for sure. Nobody come around to this issue to fix it and you were arguing that you already fixed the concerns brought up, so it was logical to try to underline our point that the previously posted patch did not solve the issue adequately.
Excuse me if I was not clear enough throughout handling this issue.
Comment #49
(not verified) CreditAttribution: commented