summaryrefslogtreecommitdiffstats
path: root/sites
diff options
context:
space:
mode:
authorJennifer Hodgdon2012-08-31 15:42:21 (GMT)
committerJennifer Hodgdon2012-08-31 15:42:21 (GMT)
commit3782025a16d8c1f01a43b34a44b811e2aaf9b1a4 (patch)
tree8f1a7bac9fe9e4bccf3229ebc5f1478ff7185f60 /sites
parenteaa33c95185266b0c4d1f6115e8f73284625eff9 (diff)
Issue #932110 by dcam, Albert Volkman, jurgenhaas, marji, David_Rothstein: Add note to settings.php about updates and security
Diffstat (limited to 'sites')
-rw-r--r--sites/default/default.settings.php18
1 files changed, 13 insertions, 5 deletions
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 0ae34a2..7071a58 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -510,13 +510,21 @@ $conf['404_fast_html'] = '<html xmlns="http://www.w3.org/1999/xhtml"><head><titl
*
* The Update manager module included with Drupal provides a mechanism for
* site administrators to securely install missing updates for the site
- * directly through the web user interface by providing either SSH or FTP
- * credentials. This allows the site to update the new files as the user who
- * owns all the Drupal files, instead of as the user the webserver is running
- * as. However, some sites might wish to disable this functionality, and only
- * update the code directly via SSH or FTP themselves. This setting completely
+ * directly through the web user interface. On securely-configured servers,
+ * the Update manager will require the administrator to provide SSH or FTP
+ * credentials before allowing the installation to proceed; this allows the
+ * site to update the new files as the user who owns all the Drupal files,
+ * instead of as the user the webserver is running as. On servers where the
+ * webserver user is itself the owner of the Drupal files, the administrator
+ * will not be prompted for SSH or FTP credentials (note that these server
+ * setups are common on shared hosting, but are inherently insecure).
+ *
+ * Some sites might wish to disable the above functionality, and only update
+ * the code directly via SSH or FTP themselves. This setting completely
* disables all functionality related to these authorized file operations.
*
+ * @see http://drupal.org/node/244924
+ *
* Remove the leading hash signs to disable.
*/
# $conf['allow_authorize_operations'] = FALSE;