The actual problem is that for some beyond retarded reason in modules/update/update.manager.inc on line 706 (in my present setup, drupal 7.2) the following check is performed:

if (fileowner($project_real_location) == fileowner(conf_path()))

with the comments explaining that conf_path() resolves to e.g. sites/default (why the "e.g." is beyond me - could it be something else?!? or is "i.e." what the authors meant to say?).

The $project_real_location (how real could it be, it is a temporary location underneath temporary:/") is where the file is downloaded and extracted.

Depending on the server setup, this can be randomly complicated by a number of factors. Fact is, even if the web server user has all the rights to write all over the place, it wouldn't make any difference. Enjoy wasting your time trying to make it do so.

And why select a location that is generally created manually prior to installation to check its ownership against files actually created by the web server user. There must be a better way to deal with this.

Eventhough Wordpress is using a similar mechanism (someone is bound to have borrowed it in/from Drupal), they do have a configuration option that overrides this. This is in particular a problem when users can manipulate their setup, but cannot change ownership of files, and especially critical when performing backup, migration, or other maintenance tasks.

Even if there is no easy workaround for this, there has to be at least a hint clarifying exactly what the problem is and how to go about this in case it occurs.

Also note that the web server user may vary. On our setup it was assigned to games (id=5) for whatever reason, so intuitively changing the ownership to www-data (id=33) did not make any difference.

If there is absolutely no way around this, then include an empty file that serves this sole purpose - controlling the write access, but for goodness sake, do not rely on some odd side effects.

I could only join the numerous users in their frustration regarding this! Way to waste people's time!

P.S.: Please do excuse my tone, but I can imagine that the time spent on writing this particular piece of code is by no means comparable to the number of users affected by this and the amount of time they wasted trying to figure this out. The impact of this is quite large (just do a random search for issues related to this). Although it is not directly a security issue, it may have led many people to go against common security practices in desperate attempts to fix this (as some "solutions" appear to suggest).

Comments

philip-iii’s picture

philip-iii CreditAttribution: philip-iii commented

Also, the amount of misinformation being spread regarding this issue, without understanding the actual problem, is quite astounding. There should be absolutely no need to fall back to FTP in this case or to manipulate permissions randomly in hope of fixing the problem (chances are it will not work anyway). There has to be an official statement regarding this problem and how to go about it!

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Active » Closed (duplicate)

This looks very similar to #842620: Update manager can't install modules using FTP due broken FileTransferAuthorizeForm although your bug report has better steps to reproduce in between all the unnecessary moaning.

Posting issues without checking existing issues in the queue, also wastes people's time - probably more time than it took to write the issue in the first place.

I've not seen any issues related to this apart from that one, so presumably you mean forum posts? A lot of people who keep an eye on the issue queue do not check the forums, so it's good you actually posted an issue for it.

I'm marking this as duplicate of the older issue, but I've reposted most of your comment over there. Even if they turn out to be different no-one on that issue offered steps to reproduce, so dealing with it in one place is probably less likely to lead to duplicate work for now.

Cynthia Ewer’s picture

Cynthia Ewer CreditAttribution: Cynthia Ewer commented

Subscribing

Scott M. Sanders’s picture

Scott M. Sanders CreditAttribution: Scott M. Sanders commented

Subscribing for unnecessary moaning

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented

@Scott - you should subscribe to #842620: Update manager can't install modules using FTP due broken FileTransferAuthorizeForm for that now ;)

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented

I'm not sure if this is actually a duplicate of the above-mentioned issue (a lot of what's going on in that issue seems to be problems when people are trying to install via FTP). But it could be considered a duplicate of #2325723: Local file transfer impossible due to weird conditions in update manager; "Module installation requires FTP access" instead. That's a newer issue than this one, but less moaning - although still some moaning :)

As described there, there seems to be a good rationale for the current behavior so I'm not sure there's any reason to change it, but at least it should be documented better.

Also:

with the comments explaining that conf_path() resolves to e.g. sites/default (why the "e.g." is beyond me - could it be something else?!? or is "i.e." what the authors meant to say?).

It's "e.g." on purpose - "sites/default" is just the default location that conf_path() returns, but depending on your setup it could be many other things. For example, "sites/example.com" or similar.