Drupal Folder and File Permissions

Question

I'm having a craptastic time trying to figure out how I should configure my Drupal folders and files. I've search all over drupal.org but keep coming up with dribble about the www-data needing access to the "sites" and the "files" folder and how "settings.php" needs some awesome permissions.

But what I need is a list like this:

/ = 744 or drwxr-r--
/includes/ = ...
/misc/ = ...
/modules/ = ...
/profiles/ = ...
/scripts/ = ...
/sites/ = ...
/sites/all/ = ...
/sites/default/ = ...
/sites/default/settings.php = 444?
/sites/default/files/ = ...

I don't think I need someone to catalog every single file, folder, and permission settings for me. I'm guessing that I can just set the root folder permissions to "apply to enclosed items" and then fix the few folders and files that need special settings.

I would really appreciate any contributions that can lead me back to sanity! :)

Scott

Answer 1

A) It is not advisable to give any form of access to the world, even if it is just read access.

B) To give the owner of the file just a read access leads to complicated maintenance process (eg: most recommended, that Settings.php should be readonly to all), this will only increase your tasks whenever you want to modify the settings.

In nutshell: - World need 0 access - not even to public folder. - Your web server needs read only access for all files, except the public folder and tmp folder - these will be both read and write. - Your file owner needs full access to all files - to keep maintenance simple

This however, will work best when file owner and webserver owner are 2 separate users, and you have ssh control over server and are able to modify the file ownership.

The below script will work when you have following directory structure:

Site Folder

Site Folder/conf (containing apache virtual host configuration files for this site)

Site Folder/htdocs (containing the site)

In this scenario: kalpesh is the file owner and daemon is the webservice owner - it may be www-data for your site.

I normally save such script in a .sh file and then add it to cron, so that whenever my team members upload new content on the site or update a module, the sites permission doesn't get compromised by their mistakes. Cron will execute the scripts and repair permissions every 24 hours.

cd ToSiteFolder

sudo chown kalpesh:daemon .

sudo chmod 750 .

sudo chown -R kalpesh_popat:daemon ./conf

sudo find ./conf -type d -exec chmod 750 {} +
sudo find ./conf -type f -exec chmod 640 {} +

sudo chown -R kalpesh_popat:daemon ./htdocs

sudo find ./htdocs -type d -exec chmod 750 {} +
sudo find ./htdocs -type f -exec chmod 640 {} +

sudo find ./htdocs/sites/default/files -type d -exec chmod 770 {} +
sudo find ./htdocs/sites/default/files -type f -exec chmod 660 {} +

sudo find ./htdocs/tmp -type d -exec chmod 770 {} +

sudo chmod 640 ./htdocs/sites/default/settings.php

sudo chmod 750 ./htdocs/sites/default

There is a blog that explains this beautifully and breaks many myths. https://technologymythbuster.blogspot.com/2018/06/misconception-about-file-ownerships-and.html

Answer 2

I am quite late for the reply,but I ran into this problem and found a way out. From Drupal's official handbook:

Copy this into a file and name it as "fix-permissions.sh"

#!/bin/bash
if [ $(id -u) != 0 ]; then
        printf "This script must be run as root.\n"
        exit 1
fi
drupal_path=${1%/}
drupal_user=${2}
httpd_group="${3:-www-data}"
# Help menu
print_help() {
cat <<-HELP
This script is used to fix permissions of a Drupal installation
you need to provide the following arguments:
1) Path to your Drupal installation.
2) Username of the user that you want to give files/directories ownership.
3) HTTPD group name (defaults to www-data for Apache).
Usage: (sudo) bash ${0##*/} --drupal_path=PATH --drupal_user=USER --httpd_group=GROUP
Example: (sudo) bash ${0##*/} --drupal_path=/usr/local/apache2/htdocs --drupal_user=john --httpd_group=www-data
HELP
exit 0
}
# Parse Command Line Arguments
while [ $# -gt 0 ]; do
        case "$1" in
                --drupal_path=*)
drupal_path="${1#*=}"
;;
--drupal_user=*)
drupal_user="${1#*=}"
;;
--httpd_group=*)
httpd_group="${1#*=}"
;;
--help) print_help;;
*)
printf "Invalid argument, run --help for valid arguments.\n";
exit 1
esac
shift
done
if [ -z "${drupal_path}" ] || [ ! -d "${drupal_path}/sites" ] || [ ! -f "${drupal_path}/core/modules/system/system.module" ] && [ ! -f "${drupal_path}/modules/system/system.module" ]; then
printf "Please provide a valid Drupal path.\n"
print_help
exit 1
fi
if [ -z "${drupal_user}" ] || [ $(id -un ${drupal_user} 2> /dev/null) != "${drupal_user}" ]; then
printf "Please provide a valid user.\n"
print_help
exit 1
fi
cd $drupal_path
printf "Changing ownership of all contents of "${drupal_path}":\n user => "${drupal_user}" \t group => "${httpd_group}"\n"
chown -R ${drupal_user}:${httpd_group} .
printf "Changing permissions of all directories inside "${drupal_path}" to "rwxr-x---"...\n"
find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;
printf "Changing permissions of all files inside "${drupal_path}" to "rw-r-----"...\n"
find . -type f -exec chmod u=rw,g=r,o= '{}' \;
printf "Changing permissions of "files" directories in "${drupal_path}/sites" to "rwxrwx---"...\n"
cd sites
find . -type d -name files -exec chmod ug=rwx,o= '{}' \;
printf "Changing permissions of all files inside all "files" directories in "${drupal_path}/sites" to "rw-rw----"...\n"
printf "Changing permissions of all directories inside all "files" directories in "${drupal_path}/sites" to "rwxrwx---"...\n"
for x in ./*/files; do
find ${x} -type d -exec chmod ug=rwx,o= '{}' \;
find ${x} -type f -exec chmod ug=rw,o= '{}' \;
done
echo "Done settings proper permissions on files and directories"

Now run this script as:

 sudo bash fix-permissions.sh --drupal_path=your/drupal/path --drupal_user=your_user_name

Viola! Your permissions are automatically fixed.

Answer 3

default install on my local machine has

-rw-r--r-- all php files

drwxr-xr-x directories

drwxrwxr-x files folder

-r--r--r-- settings.php file