by James SansburyJuly 20, 2011

Keeping Drupal's Files Safe

When Drupal users deploy their first (or second, or tenth...) site to a real web server, one of the most common points of confusion is the proper access permissions for the files directory and settings.php. Because the files directory stores uploaded content from the site's users, badly configured permissions are a potential security risk. Lock it down too tightly, though, and managing backups or future migrations can be a pain.

My standard starting point when creating a new Drupal site on a server is to create or select an existing user that is a part of the web server group (typically the Apache group), and give ownership of all Drupal files to that user. On Ubuntu, these are the commands to get that set up:

  # Create a new example user.
  useradd -s /bin/bash -m example;

  # Now add that user to the Apache group. On Ubuntu/Debian this group is usually
  # called www-data, on CentOS it's usually apache.
  usermod -a -G www-data example;

  # Set up a password for this user.
  passwd example;

Once I have that set up, I'll log in as the user and install Drupal at /var/www/example/docroot or a similar path, then create the files directory by hand and copy over the settings.php file. Since we log in as our example user before copying in Drupal, our file ownership and permissions should automatically be properly configured on all the core Drupal files and scripts (including .htaccess files).

su - example
cd docroot
cp sites/default/default.settings.php sites/default/settings.php

# Temporarily give the web server write permissions to settings.php
chgrp www-data sites/default/settings.php
chmod g+w sites/default/settings.php

Now let's set up the files directory.

# Create the directory.
mkdir sites/default/files

# Now set the group to the Apache group. -R means recursive, and -v means 
# verbose mode.
chgrp -Rv www-data sites/default/files

Next we'll set up permissions so that the web server can always write to any file that is in this directory. We do this by using 2775 in our chmod command. The 2 means that the group id will be preserved for any new files created in this directory. What that means is that www--data will always be the group on any files, thereby ensuring that web server and the user will both always have write permissions to any new files that are placed in this directory. The first 7 means that the owner (example) can R (Read) W (Write) and X (Execute) any files in here. The second 7 means that group (www-data) can also R W and X any files in this directory. Finally, the 5 means that other users can R and X files, but not write.

 chmod 2775 sites/default/files

If there are any existing files in this directory, be sure the web server has write perms on them.

 chmod g+w -R sites/default/files

Now Drupal is ready to be installed. When finished, it is VERY important to come back to settings.php and ensure that all users only have read permissions.

 chmod 444 sites/default/settings.php

That's it! This set up will keep uploaded files from being executed and settings.php from being accessed improperly, and sidestep annoying lockouts that prevent you from writing, changing, or removing user-uploaded files.