Posted by MarketStone on December 14, 2011 at 2:02pm
Sorry Angela that was a bad joke:)
anyway, by default drupal 7 saves files in the sites/default where Your settings.php. This should not be. Your sites/default folder permissions should be owner - read\execute 500 and Your settings.php should be owner - read 400. You should move saved files to sites or sites/all i am sure it was just an overlook.
Hope everyone has a Great Holiday!
Ran
Comments
sites/default/files
My understanding is that user uploaded files should be stored in sites/default/files and any additional sub directories form there. Technical details of this process and the path are outlined here: http://www.rahulsingla.com/blog/2011/06/drupal-7-handling-file-uploads-a.... I suspect putting user uploads into sites/all would be considered "bad practice".
sites/default
You want to harden sites/default with everything You got because settings.php has Your username and password to Your database. the file system api is a wrapper so if You change Administration » Configuration » Media/file system to sites/files and instead of sites/default/files and move the file up to sites/ everything still works fine. i do not see any problems with move it to sites/all . By being in sites/default with permissions set at 755 on the default folder is not best practices.
Visit
Visit admin/config/media/file-system to set the path to your files (or enable the private file system, which will take your files completely out of the web root).
If you have issue with the default placement, you're more likely to effect change on drupal.org in the issue queue.
Hi eliza
the private file system does not put the file system out of the web root it uses .htaccess to keep people out
My main point was that I've
My main point was that I've heard others voice concerns about the location of files within sites/default and you might have more luck voicing concerns in the issue queue.
To clarify what I meant about the files location, I was referring to a configuration like the following:
/var/www/seven - Where the git repo is initialized
/var/www/seven/drupal - The document root for Apache, which is what I meant by web root
/var/www/seven/files - The location of private files (still accessible by the web server, indeed locked down with .htaccess, but outside the document root the way I think of it. It's nowhere near sites/default, at any rate.)
Apologies if that wasn't helpful.
Yes i should of also wrote "unless You specify it"
i am sure anyone who knows how to build there own box knows this. In the private file system just use ../files to get up out of the root. Congratulations to BenK award will be an Adventure of a life time, some of the best sea food on earth in Chile.
i should explain the the joke that's a spy's m.o. send in someone who is the least likely to be noticed to effect change.
Ran
also
If You have Your own server and can make a file out side the root You should move Your settings.php there. You do that inside the includes/bootstrap.inc file. Then if You really want to get serious about security You should compile Your own linux kernal from kernal.org You should Never Never use a java based linux like ubuntu server. Why? Your trying to lock down Your site why add one of the most powerful client site scripts to the equation, for a little convenience.
Ran
Marry Christmas everyone, and i think Jesus Loves the commercialism of Christmas. Heaven forbid people be able to pay rent and eat.