Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660554 - www-apps/drupal-8.5.4 questionable webapp-config defaults
Summary: www-apps/drupal-8.5.4 questionable webapp-config defaults
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Web Application Packages Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-06 19:41 UTC by Tyler Montbriand
Modified: 2018-12-06 23:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tyler Montbriand 2018-07-06 19:41:55 UTC
Gentoo distributes drupal with two files listed in "config-files", which are files which need to be customized and therefore shouldn't be hardlinked, but shouldn't necessarily be easily writable by the server:

.htaccess
htdocs/sites/default/settings.php

The package also specifies three files/folders in server-owned-files, specifically earmarking them as customizable files owned and writable by the webserver:

htdocs/files
htdocs/sites/default
htdocs/sites/default/settings.php

htdocs/files makes sense, being a public upload folder.

The last two conflict with config-files in a dangerous way, since server-owned takes precedence and they end up being server-writable no matter what commandline options you choose for webapp-config.

After removing the two offending lines, settings.php is properly protected by default, and leaves you the option to customize the owner/group you want for them via -u and -g.
Comment 1 Larry the Git Cow gentoo-dev 2018-12-06 23:02:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=90dbc873bea81cd39388307dd03cb64358cc113e

commit 90dbc873bea81cd39388307dd03cb64358cc113e
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2018-12-06 22:58:54 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2018-12-06 23:02:36 +0000

    www-apps/drupal: Bump to 8.6.4 release.
    
    Follow Tyler Montbriand's suggestion on bug 660554.
    Bug: http://bugs.gentoo.org/660554
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest            |  1 +
 www-apps/drupal/drupal-8.6.4.ebuild | 84 +++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2018-12-06 23:07:06 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab108a1dba6e0d0f8ebf5e8458a4a77972b04899

commit ab108a1dba6e0d0f8ebf5e8458a4a77972b04899
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2018-12-06 23:06:50 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2018-12-06 23:06:50 +0000

    www-apps/drupal: Bump to 8.6.4 release.
    
    Follow Tyler Montbriand's suggestion on bug 660554.
    Closes: http://bugs.gentoo.org/660554
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest            |  1 +
 www-apps/drupal/drupal-8.6.4.ebuild | 84 +++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)