[TYPO3-core] RFC #14719: Automatically create ENABLE_INSTALL_TOOL file when 1-2-3 Install Tool is used

[Jeff Segars]

On 6/16/10 8:57 AM, Philipp Gampe wrote:
> Am 16.06.2010, 15:50 Uhr, schrieb Jeff Segars <jsegars at alumni.rice.edu>:
>
>> Hey guys,
>> Thanks for all the feedback so far. Here's a quick recap of the
>> various options, as well as the pros and cons of each.
>>
>> 1. Create ENABLE_INSTALL_TOOL as part of 123 Install Tool redirect
>> Pros: simple, very easy for user
>> Cons: security issues, the Install Tool remains accessible until
>> there's a DB configured regardless of how long that may be
>>
>> 2. Ship with an ENABLE_INSTALL_TOOL.1 file
>> Pros: no security concerns, a little easier for user
>> Cons: timestamp does not change when file is renamed so there has to
>> be some code component
>>
>> 3. Improve the lock message when in 123 Install Tool
>> Pros: no security concerns, the file creation is more clearly
>> explained and less "scary"
>> Cons: the file still has to be created manually
>>
>> Anything else I'm missing?
>
> As just written:
>
> 4. Check for another file (e.g. QUICKSTART) and create a new
> ENABLE_INSTALL_TOOL file on demand
> Pros: easy to use for packages
> Cons: needs more code; file needs to be in place
>
> Best regards

This was the original idea proposed by Steffen K. on the v4 list and 
everyone eventually moved to the idea of not having 2 files and basing 
it on DB configuration instead. Of course, opinions seem to have changed 
since then ;)

Marcus also mentioned the security concern of bad file permissions 
keeping the QUICKSTART file from being deleted so that the 
ENABLE_INSTALL_TOOL is created repeatedly.

I guess the entire question comes down to this: are we and the security 
team OK with the Install Tool remaining open under certain abnormal 
circumstances (bad file permissions, install not started) in order to 
improve usability?  If so, then #1 or #4 are good options.  If not, #3 
is the only real option I see.

Thanks,
Jeff