this is an issue from dww that was internal on s.d.o - we're removing stuff from that queue if it doesn't really really need to be private:

That's great. But, that seems like you're talking about configuration *within* your Drupal site. I think we should at least have a page, if not a section, outlining some of the things that average Drupal admins, even on shared hosting accounts, should be aware of *outside* their Drupal installation. I know we don't want to get into the business of providing and maintaining generic documentation on how to be a security-conscious sysadmin. Unfortunately, I don't think we can assume a base-level understanding of the issues, and reading through these docs once might be the only thing that many Drupal admins ever do to educate themselves. We should at least provide a place to introduce people to some things to be aware of and provide links to other sources of information.

We've had to strike the right balance on this before, for example, in the CVS handbook. I didn't want to duplicate the effort of a CVS manual, but at the same time, I couldn't just assume everyone had read one, and sometimes I had to introduce some basic concepts myself, and provide links to existing manuals for more info.

Rough sketch of some of the things this section could contain:

- File ownership and permissions
- Protecting info about how to connect to the site's DB
- The security implications of the 'files' directory and what to do about them
- What to do about your site's temp directory, why /tmp can be a scary place, etc.
- .htaccess considerations
- Restricting access to update.php and cron.php (it's too bad this has to live in the "outside Drupal" section of the docs).
- Warnings about why FTP is insecure to encourage people should seek more secure alternatives
...

Thoughts? Is this opening a can of worms? Do people agree at least a brief introduction to some of these things and pointers to other docs would be worth adding? Any other suggestions for what we should cover here?

Thanks,
-Derek

Comments

arianek’s picture

arianek CreditAttribution: arianek commented

I absolutely think this should be included - some of it lives in the install guide right now, eg:

- Webhosting issues has subsections about file permissions, and configuring .htaccess and settings.php
- info about settings.php Step 3: The settings.php file
- setting up cron Set up cron
- the files dir The files directory

Understandably some people might not look in the install guide for this info, but it could be fleshed out there with some of this missing info and cross-linked (oh, if only #995370: Want the ability to create multiple outlines/maps)...

arianek’s picture

arianek CreditAttribution: arianek commented
Issue tags: +Security, +server stuff, +security team

tags

LeeHunter’s picture

LeeHunter CreditAttribution: LeeHunter commented

I just wanted to note that this information probably belongs in the Administration Guide under Securing Your Site (http://drupal.org/security/secure-configuration). Some of it's already there, although that section needs a lot of work to be more comprehensive, better organized and less verbose.

apaderno’s picture

apaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
CreditAttribution: apaderno as a volunteer commented
Issue tags: -Security, -server stuff, -