Hello!
I have installed the module "security review" and it notify me that I have the wrong file permissions.
I have not done any configuration to the file permissions since I recently installed drupal.
My settings
Folder 755 (except for sites/default folder that has 555)
Files 644 (except for settings.php that has 444)
The security review module tells me that everything under sites, modules and themes have the wrong file permissions. (basically the whole drupal installation)
On this site: http://drupal.org/node/244924, you get an explanation on how to set the right file permissions. However I do not fully understand what they want me to do.
Since I on a shared host, first part:
"Note for hosted Drupal installations
It's important to notice that the owner of Drupal's root directories and files is the root user and group is the group your apache is running on. For files and directories inside the sites directory the user who is hosting the site on your server is their owner. The best way to do this is to delete the sites directory and make it a symbolic link to /home or other path you use to store user's home directories."
I do not understand what the security team is recomending me to do. Anyone that can give me a hint or a step to step guide?
Second part
[root@localhost]cd /path_to_drupal_installation
[root@localhost]chown -R greg:www-data .
[root@localhost]find . -type d -exec chmod u=rwx,g=rx,o= {} \;
[root@localhost]find . -type f -exec chmod u=rw,g=r,o= {} \;
"The second command will give ownership recursively on Drupal's root directory for user greg and www-data group. Don't do this if you are in a hosted installation. To the Drupal's root files and directories the user root must be the owner, not greg."
Does that meen I shall only do line 3 and 4, or does it meen that I shall not do this at all when you are on a shared host?
I need some help and advice on what file permission I shall have in order to enhance security of my site.
Best regards
Martin
Comments
have the same problem
I have exactly the same problem, and I'm not sure on how to rectify my install for better security. Which files/folders should actually be 555 and 444? I have exactly what you have above.
I think the note for hosted
I think the note for hosted installations apply to people who run shared servers (and provide Drupal to their customers/users). It
It'll be different if you are managing your own Drupal installation within a shared hosting environment. The advice above that would be more likely to apply.
Hosting providers vary in their set-up, so it's difficult to give clear instructions other than to say you should have the most restrictive permissions possible while still having everything working.
Ideally I think you should have:
That makes (Dir) 750, (File) 640
If you can apply this, that's fine, however...
One potential problem with shared hosts is they might only provide you with one user/ group account (no root or www-data). They configure it so the web server runs with the permissions of your account. This makes complete sense from their point of view and protects customers from each other. However, it means you can't have separate permissions for you and the server. In such cases, you need to restrict write permissions for yourself to prevent write access for the server.
ie. Directories: 550, Files: 440, Upload Directory: 770
This means that you have to change permissions whenever you modify or add files. Perhaps make changes on a copy then set perms on the copy and replace the old one.
Another potential problem is that if php is run as cgi rather than an apache module, you might need to give r /x permissions to 'other' to get it working. In this case you can't restrict permissions as recommended.
(Note these problems are specific to certain hosts not to Drupal. )
Good explanation
Hi Che Molava, your explanation is the best I can find so far. I therefore contact my hosting company and it looks like my situation might be "they might only provide you with one user/ group account (no root or www-data). " as you mentioned.
They told me "The server should have write permissions for your files so you are able to edit these, this is actually in your own username not a "server" user." Is it secure to leave it as it is? The current settings are Directories: 755, Files: 644.
Cheers,
Yanxi
Hi Yanxi, From a security
Hi Yanxi,
From a security point of view, it's a bad idea to give the server/php write permissions on your site files. If anyone found a way to execute scripts from your site, there would be no limit to the damage they could do. 555/444 would be safer. 550/440 would be better still (though test that this works first as it might give you a server error).
You then need to work out a way of efficiently updating drupal and installing modules etc. This depends on how you administer your files. One way to consider is to only make changes to a copy of the site which is kept out of the public_html directory. Once you've made your changes, remove write permissions on the updated copy before switching it with your live site. You might find symlinks a cleaner way of switching than physically moving and renaming directories.
If it's not possible to remove write permissions for the server then at the very least disable or uninstall the php filter module and restrict account creation and file uploads as much as possible. Also, be careful about what's in your public html directory. Don't leave old versions of any software you try out etc. in there.
All the best,
Che
Hi Che, Many thanks for your
Hi Che,
Many thanks for your prompt reply. My hosting company wrote to me as this "As PHP is ran as your individual user these files are secure because no other user can write to these, some other PHP setups use an overall server user which is less secure, we run PHP as specific user accounts though which means that no user can edit any other user's PHP files with these permissions." Is it the case?
As my site is still in development status, I will need to upload files, update modules, apply patches and test theme. I don't know if changing to 555/444 would bring me too much inconvenience. Also I don't really understand how to use symlinks to make it easier. Could you give a bit more details on that please?
In a few places I need php filter to return the desired result, so I can't really turn it off. Anonymous users can create accounts by registering and logged in users are able to uploads files. So it seems nothing I can do in this case. Am I stuck?
Cheers,
Yanxi
Inaccurate message from Security Review?
Hi,
My issue is similar in that I have run the Security Review and the recommendation was to correct the permissions for dozens of files and directories. But, I am thinking the message isn't accurate.
Checking Apache (using ps aux | grep apache) I saw the server is running with the user (and group) 'nobody'.
There are multiple sites set up on the site (via cPanel I understand) with each site having a dedicated 'users' with its own root directory (and child directories and files) being owned by the site's owner.
Security Review says "it is dangerous to allow the web server to write to files inside the document root of your server" but, to me, the web server (user nobody) doesn't have access to these files, only the site owner does.
Can anybody tell me if I can safely ignore this Security Review message or am I missing something.
Thanks,
Geoff
They might be running Apache
They might be running Apache with some kind of wrapper ( suEXEC, suPHP) that executes scripts with the permissions of the site owners. In that case write permissions should not be set even for owner. Also, You might still need to give read permissions (and execute for directories) for 'other' if apache's running as nobody.
here's how i would access the
here's how i would access the my file permissions on a shared hosting (apache web servers), and i'll use a cpanel hosting as example.
there are 3 components of file/directory ownership that we need to remember.
- owner (read, write, execute)
- group (read, write, execute)
- others (read, write, execute)
from the above you only need to find out what the web server user is (on redhat family you have "apache", on debian you have "www-data", on cpanel they have "nobody"). this user need to have "read" access to your files/folder and "write" access as needed - in the case of Drupal this user needs to have "write" access only to your "sites/default/files" or whereever you drupal files directory is.
most hosting servers (ex: cpanel) they assign the web server user to "others", and owner/group components is yours. so on my cpanel server, i would set my users this way:
[root@localhost]cd /path_to_drupal_installation
[root@localhost]chown -R cpanel_user:cpanel_user .
[root@localhost]find . -type d -exec chmod u=rwx,g=rx,o=rx {} \;
[root@localhost]find . -type f -exec chmod u=rw,g=r,o=r {} \;
[root@localhost]chmod -R o+w sites/default/files
line 1: tell you to go inside your drupal install path
line 2: sets the "owner" and "group" of all files and directories
line 3: find all directories and set the permission of "owner" to "read/write/execute" and "group"/"others" permission to "read/execute" - no "write".
line 4: find and set permissions to files, which gives "others" a "read" access. this "read" access allow the web server to read your code/site files.
line 5: grants "write" access to "others" (which refers to your web server user) for you drupal files directory. this allows your site to create imagecache, save aggregated css/js files, upload files/images/etc of your site.
basically, you only want to limit where the web server can write or upload files.
Good stuff Gerold
Hi Gerold,
Good info here for people on a shared host or server config where they cannot use chown or chgrp. I want to add that in addition, a person will want to also change there settings.php file back to read only with:
[root@localhost]chmod ugo=r sites/default/settings.phpThanks for you detailed write up, I found it very helpful.
Cheers,
Elijah Lynn
Setting files, especially
Setting files, especially settings.php, to be readable by "other" in a shared hosting environment seems like a risk. That would let anyone who can shell or ftp to the site to see your database credentials and any other sensitive variables stored in that file which could let them take over your site.
Any suggestion for a specific set of permissions "ugo=r" or "440" that doesn't take into account the owner and group and who else has access to the server is going to be incomplete in some way. If the "group" on a file contains untrusted users then the only solution is 400. This is an unfortunate area where the instructions have to be complex because the topic is complex and implementations are so varied.
knaddison blog | Morris Animal Foundation
Is there a list somewhere
Is there a list somewhere that shows exactly what permissions we need to set for each folder/file?
Also settings in .htaccess, php.ini and settings.php
I have installed Drupal 6.30 manually and have a lot of permission issues, even though I have followed the 'conflicting' directions in many support forums like this one!
Try IRC
Hi Vako!
We'll get you going! Without knowing more specifics, it's really hard to know what you need. I suggest jumping on an IRC channel and see if someone there can give you some realtime help. Here's a link to the IRC information for Drupal users: https://drupal.org/irc This link helps too: https://drupal.org/node/1259224
I have to wonder why you are creating a new Drupal 6 site? Why not use Drupal 7? Drupal 8 will be coming out this year and at that point, if I'm not mistaken, Drupal 6 will no longer be officially supported; the security team won't be issuing updates either.
Cheers,
Jeff
It's not a new installation.
It's not a new installation. I have a 7 year old site made with Drupal 6, migrated it to another host. They have Fantastico automated scripts, but it only installs D7.
I did install D6 manually and imported the site database, the website is up and running, however there are some permissions and configuration issues.
e.g.: in IMCE, when I try to upload an image, I get a message saying "Upload Failed".
The upload folder permissions is 775. Even if I change it to 777 I get the same message.
Any help is appreciated.
what about the parent
what about the parent directory and subdirectories? It could be that the web server can't get into the /files/ directory, or it can't write to a subdirectory within in /files/
My file/folder permissions
Thank you for the quick response.
Here are all the permissions:
All files - 644
sites folder - 755
sites/default folder - 555
files folder - 777
folders within the files folder - 775
settings.php - 444
The file system at /admin/settings/file-system is set to: sites/default/files
Note that there are no errors in the Status Report.
Isn't there a guide at drupal.org that explains the correct permissions?
I have searched and just found forum topics and each one different!
I found the issue to be
I found the issue to be linked to a module. Sorry for the confusion. You may ignore my previous post.
Thank you.