Commit 20b6dd16 authored by anarcat's avatar anarcat Committed by anarcat

restrict sites to their platforms as another security layer

this also makes sure that ~/config/includes/global.inc exists so that open_basedir checks don't break

this is just a quick workaround to make sure sites can't access the aegir site database, which should be kept in a separate platform

Spotted and original patch by: emspace
parent 961deee4
......@@ -22,6 +22,17 @@ function drush_provision_drupal_provision_verify_validate($url = null) {
function drush_provision_drupal_provision_verify($url = null) {
if (PROVISION_CONTEXT_PLATFORM) {
_provision_create_dir(drush_get_option('config_path'), dt('Provision configuration'), 0711);
_provision_create_dir(drush_get_option('config_path') . '/includes', dt('Provision PHP configuration'), 0711);
if (!provision_path('exists', drush_get_option('config_path') . '/includes/global.inc', TRUE, dt("Global configuration file exists"))) {
# create an empty global.inc so the include doesn't fail with
# open_basedir restrictions
if (!$file = fopen(drush_get_option('config_path') . '/includes/global.inc', 'a')) {
drush_set_error('PROVISION_FRAMEWORK_ERROR', dt('Cannot create global settings configuration'));
} else {
fwrite($file, "<?php # global settings.php");
fclose($file);
}
}
_provision_create_dir(drush_get_option('backup_path'), dt('Backup'), 0700);
provision_path("writable", drush_get_option('sites_path'), TRUE, dt("Drupal sites directory is writable by the provisioning script"),
dt("Drupal sites directory is not writable by the provisioning script"), 'PROVISION_SITES_DIR_NOT_WRITABLE');
......
......@@ -23,4 +23,6 @@
SetHandler This_is_a_Drupal_security_line_do_not_remove
</Directory>
php_admin_value open_basedir /tmp:<?php print $publish_path ?>/:<?php print $config_path ?>/includes/
</VirtualHost>
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment