diff options
| -rw-r--r-- | INSTALL.txt | 6 | ||||
| -rw-r--r-- | includes/install.core.inc | 34 |
2 files changed, 37 insertions, 3 deletions
diff --git a/INSTALL.txt b/INSTALL.txt index 0e00a0e77..45f414735 100644 --- a/INSTALL.txt +++ b/INSTALL.txt @@ -79,13 +79,15 @@ INSTALLATION http://drupal.org/project/translations and download the package. Extract the contents to the same directory where you extracted Drupal into. -2. CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS +2. IF NECESSARY, CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS Drupal comes with a default.settings.php file in the sites/default directory. The installer uses this file as a template to create your settings file using the details you provide through the install process. To avoid problems when upgrading, Drupal is not packaged with an actual - settings file. You must create a file named settings.php. You may do so + settings file. During installation, Drupal will try to create this settings + file automatically. If this fails (which it can due to different server + setups), you must create a file named settings.php yourself. You may do so by making a copy of default.settings.php (or create an empty file with this name in the same directory). For example, (from the installation directory) make a copy of the default.settings.php file with the command: diff --git a/includes/install.core.inc b/includes/install.core.inc index 720588eb8..a334f7bb3 100644 --- a/includes/install.core.inc +++ b/includes/install.core.inc @@ -1568,7 +1568,7 @@ function install_check_requirements($install_state) { $exists = FALSE; // Verify that the directory exists. if (drupal_verify_install_file($conf_path, FILE_EXIST, 'dir')) { - // Check to make sure a settings.php already exists. + // Check if a settings.php file already exists. $file = $settings_file; if (drupal_verify_install_file($settings_file, FILE_EXIST)) { // If it does, make sure it is writable. @@ -1587,6 +1587,38 @@ function install_check_requirements($install_state) { 'description' => st('The @drupal installer requires that the %default-file file not be modified in any way from the original download.', array('@drupal' => drupal_install_profile_distribution_name(), '%default-file' => $default_settings_file)), ); } + // Otherwise, if settings.php does not exist yet, we can try to copy + // default.settings.php to create it. + elseif (!$exists) { + $copied = drupal_verify_install_file($conf_path, FILE_EXIST|FILE_WRITABLE, 'dir') && @copy($default_settings_file, $settings_file); + if ($copied) { + // If the new settings file has the same owner as default.settings.php, + // this means default.settings.php is owned by the webserver user. + // This is an inherent security weakness because it allows a malicious + // webserver process to append arbitrary PHP code and then execute it. + // However, it is also a common configuration on shared hosting, and + // there is nothing Drupal can do to prevent it. In this situation, + // having settings.php also owned by the webserver does not introduce + // any additional security risk, so we keep the file in place. + if (fileowner($default_settings_file) === fileowner($settings_file)) { + $writable = drupal_verify_install_file($settings_file, FILE_READABLE|FILE_WRITABLE); + $exists = TRUE; + } + // If settings.php and default.settings.php have different owners, this + // probably means the server is set up "securely" (with the webserver + // running as its own user, distinct from the user who owns all the + // Drupal PHP files), although with either a group or world writable + // sites directory. Keeping settings.php owned by the webserver would + // therefore introduce a security risk. It would also cause a usability + // problem, since site owners who do not have root access to the file + // system would be unable to edit their settings file later on. We + // therefore must delete the file we just created and force the + // administrator to log on to the server and create it manually. + else { + drupal_unlink($settings_file); + } + } + } // If settings.php does not exist, throw an error. if (!$exists) { |