Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#8277 closed Bug/Something is broken (fixed)

I find it strange that everybody can read drupal settings.php

Reported by: https://id.mayfirst.org/gripuqam Owned by: https://id.mayfirst.org/jamie
Priority: Medium Component: Tech
Keywords: GRIP-UQAM drupal7 chelsea.mayfirst.org Cc:
Sensitive: no

Description

I find it strange that everybody can read drupal settings.php with default automatic install on chelsa.

sosterritoireweb@chelsea:/home/members/gripuqam/sites/sosterritoire.gripuqam.mayfirst.org/web/sites$ ls -l default/settings.php -r--r--r-- 1 sosterritoireweb sosterritoireweb 23532 jan 12 23:51 default/settings.php 0

So I am doing: $ chmod go-r default/settings.php 0 $ ls -l default/settings.php -r-------- 1 sosterritoireweb sosterritoireweb 23532 jan 12 23:51 default/settings.php 0

mv: nardberjean: i am not familiar with the script but that might be worth putting in a ticket dkg: nardberjean: that does sound like a serious bug, esp. if that file contains database settings dkg: (though psql settings are not secret, so you shouldn't need to worry about it if you're using psql)

As I am using psql on this site I do not need to worry, it is more a drupal-mysql issue...

Change History (3)

comment:1 Changed 5 years ago by https://id.mayfirst.org/ross

  • Owner set to https://id.mayfirst.org/jamie
  • Status changed from new to assigned

I just tested the automatic installation of drupal 7 on chelsea, and my experience is that the automatic installation fails to configure or create settings.php. I created two drupal 7 web apps from this hosting order and neither seemed to have created a settings.php file.

Jamie could you inspect this to see what might be failing in the creation of the settings file. Currently there is no database and username/password passed to the user, so installation is extremely difficult since you must know to change the password for the database user and add that to the drupal install credentials.

~/ross

comment:2 Changed 5 years ago by https://id.mayfirst.org/jamie

  • Resolution set to fixed
  • Status changed from assigned to closed

Thanks for posting this problem! This is a bad security flaw. It is now fixed, and I've manually fixed the permissions on all MOSH drupal installs.

comment:3 Changed 5 years ago by https://id.mayfirst.org/gripuqam

Thanks!

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.