[TYPO3-core] RFC #14719: Automatically create ENABLE_INSTALL_TOOL file when 1-2-3 Install Tool is used

Helmut Hummel helmut at typo3.org
Fri Jun 18 20:53:53 CEST 2010 

Hi,

On 18.06.10 16:56, Ingo Renner wrote:
> Jeff Segars wrote:
> 
> Hi Jeff and all,
> 
>> If typo3conf/FIRST_INSTALL is present, we immediately delete it and
>> create typo3conf/ENABLE_INSTALL_TOOL. If the file is not present or
>> could not be deleted, then we do not create ENABLE_INSTALL_TOOL and the
>> normal lock message is shown.
> 
> to get something moving I'm giving +1 after reading if the security team
> is also fine with this solution. At least to me it sounds practical.

here we go. My comments:

First of all my personal opinion is, that creating a file in a special
place should not be a too much hassle for a person who wants to install
an "enterprise content management system". Now that we have a nicely
styled message I consider the whole thing a non issue.[1]

But this is my personal opinion and I understand that it might be
helpful for someone, that the step of creating a file is not necessary.


A short preface:

The security concerns mentioned in the following are somehow
theoretical, since ideally an installation should _never_ happen on a
production system but in a (secured) development environment. Deployment
on a production system should be _only_ done by "cloning" the
development installation. Doing so, all install tool/ installation
process concerns would be obsolete.


The difference between the solution provided by Jeff and the one
provided by Steffen are as follows:

With Jeff's solution after unpacking TYPO3 and the package with the
FIRST_INSTALL file, the installation, if left unattended, can be taken
over by an attacker with gains access to the mighty tools (editing files
on the server) the install tool provides.

With Steffens solution an unpacked but not yet configured TYPO3
installation is bound to only the 123 wizard which is of no use for a
potential attacker, since he or she must guess correct database
credentials before beeing able to access the mighty tools.

The best would be a combination of both solutions:

Bind the user to the 123 wizard until he or she provides correct
database credentials but autocreate the ENABLE_INSTALL_TOOL only once,
after deleting an existent FIRST_INSTALL file.


Sorry for the long post, but you asked for a comment ;)

Regards Helmut


[1] Worpress is meant to have a really easy installer. Although the
Wordpress installer is able to create the necessary file, it states "The
safest way is to manually create the file".

More information about the TYPO3-team-core mailing list