Need for a security warning related to modules, themes and profiles directories
torenware opened this issue · 2 comments
I see that in #28 that the Dockerfile was modified to make extension related directories (modules, themes, and profiles) web server writable. I can see why this was done -- it makes it possible to install themes and modules via the admin UI -- but it's arguably a security hole, since it greatly increases the surface for attacks that work by adding malicious executable code to an install.
While I'd guess that small drupal installs that use the admin UI install feature is an important use case here, we may want to add a note to README.md indicating that volumes mounted at those points should only be writable if you intend to do this. Otherwise, users of the image would be better off with root.root ownership on these directories.
The same could be said about settings.php as well.
Closing since this isn't really something to fix in the image itself -- a PR linking to more documentation from Drupal around this in the documentation for the image would be A+.