diff --git a/INSTALL.txt b/INSTALL.txt
index 0e00a0e77a74eecc12fb357214e9fbee9456c3bc..45f41473575e12a7d29a8b0413336bca06fae2f7 100644
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -79,13 +79,15 @@ INSTALLATION
http://drupal.org/project/translations and download the package. Extract
the contents to the same directory where you extracted Drupal into.
-2. CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS
+2. IF NECESSARY, CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS
Drupal comes with a default.settings.php file in the sites/default
directory. The installer uses this file as a template to create your
settings file using the details you provide through the install process.
To avoid problems when upgrading, Drupal is not packaged with an actual
- settings file. You must create a file named settings.php. You may do so
+ settings file. During installation, Drupal will try to create this settings
+ file automatically. If this fails (which it can due to different server
+ setups), you must create a file named settings.php yourself. You may do so
by making a copy of default.settings.php (or create an empty file with
this name in the same directory). For example, (from the installation
directory) make a copy of the default.settings.php file with the command:
diff --git a/includes/install.core.inc b/includes/install.core.inc
index 720588eb885d470b6eef29dc8546f4620c2a0d70..a334f7bb3d6e595a9d3e6906707c3b5b18ed0444 100644
--- a/includes/install.core.inc
+++ b/includes/install.core.inc
@@ -1568,7 +1568,7 @@ function install_check_requirements($install_state) {
$exists = FALSE;
// Verify that the directory exists.
if (drupal_verify_install_file($conf_path, FILE_EXIST, 'dir')) {
- // Check to make sure a settings.php already exists.
+ // Check if a settings.php file already exists.
$file = $settings_file;
if (drupal_verify_install_file($settings_file, FILE_EXIST)) {
// If it does, make sure it is writable.
@@ -1587,6 +1587,38 @@ function install_check_requirements($install_state) {
'description' => st('The @drupal installer requires that the %default-file file not be modified in any way from the original download.', array('@drupal' => drupal_install_profile_distribution_name(), '%default-file' => $default_settings_file)),
);
}
+ // Otherwise, if settings.php does not exist yet, we can try to copy
+ // default.settings.php to create it.
+ elseif (!$exists) {
+ $copied = drupal_verify_install_file($conf_path, FILE_EXIST|FILE_WRITABLE, 'dir') && @copy($default_settings_file, $settings_file);
+ if ($copied) {
+ // If the new settings file has the same owner as default.settings.php,
+ // this means default.settings.php is owned by the webserver user.
+ // This is an inherent security weakness because it allows a malicious
+ // webserver process to append arbitrary PHP code and then execute it.
+ // However, it is also a common configuration on shared hosting, and
+ // there is nothing Drupal can do to prevent it. In this situation,
+ // having settings.php also owned by the webserver does not introduce
+ // any additional security risk, so we keep the file in place.
+ if (fileowner($default_settings_file) === fileowner($settings_file)) {
+ $writable = drupal_verify_install_file($settings_file, FILE_READABLE|FILE_WRITABLE);
+ $exists = TRUE;
+ }
+ // If settings.php and default.settings.php have different owners, this
+ // probably means the server is set up "securely" (with the webserver
+ // running as its own user, distinct from the user who owns all the
+ // Drupal PHP files), although with either a group or world writable
+ // sites directory. Keeping settings.php owned by the webserver would
+ // therefore introduce a security risk. It would also cause a usability
+ // problem, since site owners who do not have root access to the file
+ // system would be unable to edit their settings file later on. We
+ // therefore must delete the file we just created and force the
+ // administrator to log on to the server and create it manually.
+ else {
+ drupal_unlink($settings_file);
+ }
+ }
+ }
// If settings.php does not exist, throw an error.
if (!$exists) {