ScriptHandler.php creates settings.php file with too loose of permissions

[ryan-hovland]

The settings.php file contains sensitive information (salt, database connection credentials) and should not be read/write by everyone (especially on shared hosting). In order to assist the less security minded users the default permissions should be changed.

File: drupal-project/scripts/composer/ScriptHandler.php

Line: 50

$fs->chmod($drupalRoot . '/sites/default/settings.php', 0666);

Suggest changing to

$fs->chmod($drupalRoot . '/sites/default/settings.php', 0660);

[weitzman]

FYI settings.php best practice is to put sensitive info in env variables. See https://github.com/drupal-composer/drupal-project/blob/8.x/.env.example

Still, the proposal looks good.

[webflo]

The settings.php should be writable after the initial setup for the Drupal installer later. The Drupal installer or bootstrap will change the permissions after the file has been updated.

This code is located in system_install() around line 450.

    foreach (['settings.php', 'settings.local.php', 'services.yml'] as $conf_file) {
      $full_path = $site_path . '/' . $conf_file;
      if (file_exists($full_path) && (Settings::get('skip_permissions_hardening') || !drupal_verify_install_file($full_path, FILE_EXIST | FILE_READABLE | FILE_NOT_WRITABLE))) {
        $conf_errors[] = t("The file %file is not protected from modifications and poses a security risk. You must change the file's permissions to be non-writable.", ['%file' => $full_path]);
      }
    }

[webflo]

Please join the discussion in #200