I've hardened a test Moodle installation per https://docs.moodle.org/38/en/Security_recommendations#Most_secure.2Fparanoid_file_permissions and noted that I'm now seeing a variation of
Failed asserting that '<div class="form-item row" id="admin-test1">\n
<div class="form-label col-sm-3 text-sm-right">\n
<span class="form-shortname d-block small text-muted">test1</span>\n
<div class="form-setting col-sm-9">\n
<div class="form-file defaultsnext">\n
<input type="text" name="s_test1" id="id_s_test1" size="50" value="/var/www/moodletest/public/filter/tex/mimetex.darwin" class="form-control text-ltr" >\n
<div class="form-defaultinfo text-muted text-ltr">Default: Empty</div>\n
<div class="form-description mt-3"><p>Help Path</p>\n
</div>' matches PCRE pattern "/class="text-success"/".
vendor/bin/phpunit "core_admintree_testcase" lib/tests/admintree_test.php
There appear to be five files, after
MDL-26623, that still have u+x set in the git repository:
These are files that were mentioned in
My questions are these:
- Are these the only files within the code repository that Moodle expects to be executable? If yes, where should that be documented? (Security recommendations would seem to be one place; installation might be another).
- Given that the Algebra filter is apparently deprecated in favor of MathJax, should it be executable by default?
- Given that mimetex is a fallback in favor of other, external LaTex renderers, to say nothing of MathJax, should it be executable by default?
- Should there be a unit test capturing the state of 2 and 3? It's a little weird that the test_admin_setting_configexecutable test trips on mimetex and not algebra2tex, although the latter does ship the filter/algebra/algebradebug.php script that reports on permissions.
- Should the existing unit test in test_admin_setting_configexecutable be extended with an explicit check for Linux and FreeBSD, assuming $CFG->ostype supports them (I'm not familiar with the constant)?