Drupalgeddon – our response

drupalgeddonDrupalgeddon!

The recent #drupalgeddon incident and comments from a customer made us rethink how we apply Drupal updates for customers (2020Media is a leading UK Drupal hosting provider. We offer a tuned hosting environment for Drupal that is fast and responsive).

For those who missed it on the BBC news and elsewhere, ‘drupalgeddon’  was a security weakness in the Drupal content management system which allowed attackers to take over websites.

http://www.bbc.com/news/technology-29846539

Mark Stockley, an analyst at security firm Sophos, said the warning was “shocking”. “Many site owners will never have received the announcement and many that did will have been asleep,” he said. “What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.” There is strong feeling on both sides with many arguing against “dumbing down” Drupal.

Whilst we wait for an auto-update mechanism in Drupal (perhaps in Drupal 8?), we’ve always been able to update Drupal for our customers. It’s a free service but one done “on request”.

We do not apply updates automatically to any and all Drupal sites we host for a very good reason. The risk of breaking a customer’s site is too great. It’s worth noting the Drupalgeddon security problem was the first such in 9 years. So it’s arguable the risk of such a security problem happening again on such a scale is manageably small. Drupal updates typically replace the entire Drupal codebase, leaving just the /sites/ folder untouched. If a  customer or their developer has made any changes to a core file, these changes will be wiped out.
Sometimes a bug will be fixed or a feature changed as a result of an update. The site may well have a work around in place already for the bug and the update will then cause the site to break. These are just a few of the reasons.

The problem for us is, we did not build the site in the first place, nor are we familiar with it’s inner workings. So for us to be sure the site is in a working state after an update is very hard to do. A working homepage does not signify the site is 100% working. If the customer is going to be involved, which in our view they have to be, to check the site after the update, they should be involved all the way through – from the point of getting a Drupal notification email of an update, or getting a notification from the Drupal security list through to the timing of the update, to checking the site afterwards in case a roll back is required.

What changes have we made? Actually very little. We have simply streamlined our internal processes to make the technical side of doing the update a lot quicker. A lot of our customers have several sites with us. So we are now using some simply scripting so we can update all a customers sites, once they give us the go ahead.

Inspiration for the scripting came from Dane Powell ‘s blog: http://danepowell.com/node/69

Our version of the script is:

Update Multiple Drupal Sites Script


#!/usr/bin/env bash
installpath[1]=/our/pathtosite1
installpath[2]=/our/pathtosite2
installpath[3]=/our/pathtosite3
for index in 1 2 3
do
filepath=${installpath[index]}
printf "Updating %s\n" "$filepath"
cd $filepath
drush pm-refresh
drush archive-dump --overwrite --destination=/pathforbackups/backup.tar
yes | cp .htaccess ../
drush vset --always-set maintenance_mode 1
drush cache-clear all
drush up drupal --yes
drush vset --always-set maintenance_mode 0
drush cache-clear all
yes | cp ../.htaccess ./
chown -R apache:apache ./
done

 Notes on the script.

This script is for discrete Drupal sites, not Drupal multisite.

We copy .htaccess out of the way and put it back afterwards and we noticed Drupal updates sometimes overwrote the original.

The final steps resets the file ownership permissions on the site to whatever your webserver runs as. If using suphp this would need to be changed.

Output is written to the command line so you can see what is going on.

Use at your own risk. Comments and improvements are welcome.

2 thoughts on “Drupalgeddon – our response”

  1. How does this relate to WordPress? WordPress has had auto-updates for a couple of years now. These take place without the user interaction at all.

    A customer notes: “WordPress is aimed at small site owners and often the owner is also involved in maintainance. Most professional business that run Drupal sites have a Development-Staging-Production process in place. The update would always be monitored by a technician which makes auto-updates for these sites irrelevant. Nontheless an automated update process would still be interesting for non-professional use of Drupal. “

Comments are closed.