Move config directories (et al.) out of the webroot

[tstoeckler]

It is a best practice to move as much as possible outside of the webroot. Specifically Drupal's config directories are stored inside of the webroot by default, but they really should be placed outside if possible. Because we have the dedicated web directory for the webroot, we can easily do this in the template, so that everyone using it automatically benefits from the added security measure.

We simply have to change

$config_directories = array();

in the default.settings.php to

$config_directories[CONFIG_SYNC_DIRECTORY] = '../config/sync';

Some questions/problems arise from this, however (which is why I did not do a pull request directly):

1. Naming Just like the web directory, people might have different naming patterns. I always use config for this, but people might have non-Drupal-specific config in their repos or whatever.
2. The update-scaffold script when run, would revert any custom modifications to the default.settings.php so I think we should find a solution to that before doing any custom modifications. One possibility would be to also commit a patch file, which the update-scaffold script then applies. Not sure.

Anyway, wanted to put this out there, so we can discuss.

Once we have figured this out, we should (IMO) also move private files (!!!) and also translation files out of the webroot, but I thought config was a good place to start.

[webflo]

👍 @greg-1-anderson proposed a different layout for settings.php in #39 (comment)

Maybe this helps to move forward?

[webflo]

👍 for settings.php in the repo. Lets ping a few other people :)

// cc @drupal-composer/contributors @weitzman @deviantintegral @yched @pfrenssen @jcnventura

[weitzman]

settings.php in the repo is fine for me.

1. There is only one config directory by default
2. I don't love moving that one directory out of Drupal by default. The problem is that one can't export by default since sync would be pointing at a git controlled dir which is usually read-only. Instead, I recommend creating a 2nd config directory called config at top level. That one is used for importing, and the sync dir is used for exporting. If we can't all agree on this (my expectation), we should probably just omit config from this project.

[greg-1-anderson]

In drops-8, Pantheon modifies default.settings.php in addition to settings.php, because Drupal's instructions for reinstallation state that you should "copy your default.settings.php file over your settings.php file" if you want to re-install Drupal. If we simply modify settings.php, then we run the risk that users might blindly follow these instructions, removing customizations (config and private directory locations) that they did not realize were there.

The situation here is different, though; Pantheon maintains drops-8 as a fork, but I don't think that this project wants to maintain a fork of Drupal, even for a file like default.settings.php. I am also reluctant to recommend additional scripts and hooks to fix up the default.settings.php.

Perhaps the best thing to do would be to commit a settings.php file to the repository that contains comments recommending that the user relocate the config and private directories. We could also put an advisory in the README. This way, when the user followed these instructions, they would be aware that settings.php was no longer in a default state, and would be less likely to overwrite their customizations with default.settings.php.

I admit that it would be nice if config and private files were simply placed in a nice location by default, so I am open to suggestions about which of these alternatives is actually best.

[greg-1-anderson]

Didn't read @weitzman's comment until after I saved mine.

I think it sounds like comments in settings.php is perhaps the best way to go.

[jcnventura]

+1 for settings.php in repo w/ include for settings.local.php

[greg-1-anderson]

@jcnventura: are voting for a settings.php file that uses:

$config_directories[CONFIG_SYNC_DIRECTORY] = '../config/sync';

or

// $config_directories[CONFIG_SYNC_DIRECTORY] = '../config/sync';

[Cyberschorsch]

+1 on this

[zviryatko]

+1

[deviantintegral]

As mentioned above, core treats settings.php files as "fork and edit", and using composer is already bringing in many differences compared to how a typical Drupal site is built. The fewer composer specific steps we have, the easier it is to get a new team on board with it.

I'd say we should go for comments with suggestions, and only change default config values if there is a direct security implication or if it breaks using composer entirely.

[greg-1-anderson]

Another alternative would be to put the suggested configuration file settings into some other example file that we maintain here. We could then append this recommended file to the end of default.settings.php after composer install and composer update. We can then decide independently about the issue of what to do about settings.php in #39.

[webflo]

We did this in 2f45db3

[xvendo]

Hi @webflo I think this is still an issue!

I have to manually create ..config/sync directory. The installer can't handle it. I am working in my home directory, no permission problems.

The ..config/sync won't get created.

I am using nginx as webserver, with this example vhost:
https://www.nginx.com/resources/wiki/start/topics/recipes/drupal

Composer installed globally.

Installation done with:
composer create-project drupal-composer/drupal-project:8.x-dev myproject --stability dev --no-interaction

Everything works fine. But the ..config/sync directory can't get created.

Installing drupal-composer/drupal-project (8.x-dev c5f0d69)

• Installing drupal-composer/drupal-project (8.x-dev c5f0d69): Cloning c5f0d69 from cache
  ...
  

[joelpittet]

The web server user needs write permissions to the parent directory.

[xvendo]

Thanks @joelpittet. Isn't that a security issue when moving my installation to production server?

[xvendo]

It was only possible for me after I have followed this guide:
https://askubuntu.com/questions/767504/permissions-problems-with-var-www-html-and-my-own-home-directory-for-a-website/767534#767534

My permissons:

drwxrwsr-x  7 paul www-data 4096 Jan 15 17:34 .
drwxrwsr-x  7 paul www-data 4096 Jan 15 17:34 ..
-rw-rw-rw-  1 paul www-data  385 Jan 15 17:34 autoload.php
drwxrwsr-x 12 paul www-data 4096 Jan 15 17:33 core
-rw-rw-r--  1 paul www-data 1025 Jan 15 17:33 .csslintrc
-rw-rw-r--  1 paul www-data  357 Jan 15 17:33 .editorconfig
-rw-rw-r--  1 paul www-data  151 Jan 15 17:33 .eslintignore
-rw-rw-r--  1 paul www-data   41 Jan 15 17:33 .eslintrc.json
-rw-rw-r--  1 paul www-data 3858 Jan 15 17:33 .gitattributes
-rw-rw-r--  1 paul www-data 7866 Jan 15 17:33 .htaccess
-rw-rw-r--  1 paul www-data  549 Jan 15 17:33 index.php
drwxrwsr-x  2 paul www-data 4096 Jan 15 17:34 modules
drwxrwsr-x  2 paul www-data 4096 Jan 15 17:34 profiles
-rw-rw-r--  1 paul www-data 1596 Jan 15 17:33 robots.txt
drwxr-sr-x  3 paul www-data 4096 Jan 15 17:34 sites
drwxrwsr-x  2 paul www-data 4096 Jan 15 17:34 themes
-rw-rw-r--  1 paul www-data  848 Jan 15 17:34 update.php
-rw-rw-r--  1 paul www-data 4555 Jan 15 17:34 web.config

This works for nginx as well!

[xvendo]

Hi @joelpittet, I am currently working on an ebook about drupal 8, could you confirm following the guide I already shared with you is a good way to go? Cheers

[webflo]

We could add config/sync/README.txt to the git repo and the install script should make the folder writable. Similar to how we handle is with sites/default/files.

[xvendo]

Brilliant Idea!!

…

On 16 January 2018 at 08:51, Florian Weber ***@***.***> wrote: We could add config/sync/README.txt to the git repo and the install script should make the folder writable. Similar to how we handle is with sites/default/files. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#86 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AIQ87JraajVbb3udrpz8cHbt6LBxo5VUks5tLGMHgaJpZM4Gvwq0> .