Drupal needs 'files' to be 777 :(

My web host recently updated the server so it runs suPHP and suddenly all the file-upload stuff stopped working. I fixed it for myself, and perhaps my heroic story will help you or someone else.

If I understand it correctly, suPHP will not permit write access to files/directories with 777 permissions because it's a security risk. But Drupal (and a LOT of other software) tells you to set writeable folders to 777 and needs them that way! HOWEVER, Drupal is smart enough that it uses the built-in PHP "is_writable" function to test whether folders are writeable and doesn't actually test for 777 permissions specifically. So if you correctly configure the files and directories on a server running suPHP, you WILL be able to use Drupal uploads with no trouble. (A server configured with suPHP will apparently answer the "is_writable" according to its own security policies and not based on a simplistic "is it 777 or not" test.)

So what I found is that if your server uses suPHP:

• It will report any file/directory with 777 permissions as being NOT writeable. (is_writable will return false.)
• Unlike with a normal shared-server Apache setup, which will report a file/directory with 755 as being not writeable (i.e. normally PHP can only write to a file/directory which is 777 -- see this thread for more: http://drupal.org/node/162073), with suPHP setting the permissions to 755 makes them writeable. So in this way it's REVERSED. However:
• Any file/directory you want to be writeable must also have its group and owner set to be the same as the group and owner under which the PHP parser (i.e. Apache, I believe) runs!

So both the permissions and the ownership must be correctly set for PHP file operations to take place on a suPHP setup. Unlike with your basic Apache/PHP setup, where just setting a file/directory to be 777 was enough.

Often a PHP script (or at least the files and directories it creates) are set to group "nobody" and owner "nobody." This causes suPHP to balk, because Apache itself is running under an actual Apache group and owner, and only allows PHP to perform writes on files/directories which have that same group and owner. (Corrections are welcome here, by the way--I'm just summarizing what I've learned today and don't know enough to be confident I'm fully technically accurate.)

For example, if you run myfavoritefungi.com it's likely your account login name will be something like "myfav" when doing FTP uploads or logging into the web control panel. This is often the group and owner name as well; so if you uploaded "myfile.jpg" to your web root via the FTP, it would show up in a shell listing (i.e., typing "ls -l" at the command prompt when logged in via SSH) as:

-rw-r--r-- 1 myfav myfav 104534 Feb 18 20:00 myfile.jpg

The "myfav myfav" bit is the group and owner. If you have suPHP, then the whole PHP program (in our case, Drupal) will be running as "myfav" and will only be able to write to files/directories which are "myfav" as well.

So the first step is to set the permissions of all PHP-writeable folders (such as "files") to 755 as opposed to 777. The second step is to set the ownership to your server's group and owner name--in our example, "myfav". (If you don't know what this is and can't figure it out by looking at the group/owner of the index.php file in your web root or by using your login name, then contact your web host and ask them what it is.)

If your group/owner is "myfav" and you have a directory listing like this:

drwxr-xr-x  9 myfav myfav   4096 Nov 10 16:00 files1
drwxr-xr-x  9 nobody nobody   4096 Nov 10 16:10 files2

Then the "files1" folder will be writeable by PHP, and the "files2" folder will NOT. Change it to be myfav/myfav and voila! It's writeable.

So here's my solution:

1. Make sure all the files and directories which USED TO BE 777 are now changed to 755. The way I did this was I connected to my server via SSH shell, navigated to the web root directory (don't forget this!) and issued this command:
   find -perm 777 -print
   This found and listed all the 777 stuff on my website. I verified they were what I expected to see, then issued the actual order (be SURE all the above-listed files are the ones you want changed before issuing this!):
   find -perm 777 -exec chmod 755 {} \;
   This found and then changed to 755 all the 777 stuff.
2. Make sure all the files and directories which you want to be writeable are now set to the proper group and owner. I made sure I was still in the web root directory (again, don't forget this!) and issued this command:
   chown -R myfav:myfav files
   This changed the ownership on the "files" directory and ALL files and directories beneath it. For a Drupal site, this may be all you need to do; if you have other directories or files you need to make writeable then replace "files" with that file or path. The "-R" switch makes it recursive; if you're doing it on a directory and don't want to apply it to any subdirectories, leave that switch out. For the "files" directory on Drupal you'll undoubtedly want to leave it in. Remember to replace "myfav:myfav" with the actual group and owner name you discovered was used by PHP.

This fixed it for me. My case was one where the server USED to use a typical Apache/PHP setup where 777 was required before but the host upgraded it and added suPHP so there were "nobody:nobody" files and directories and 777s in the "files" tree; it may be different with different setups but this should at least provide a good starting point for people dealing with this problem.

I imagine this solution would also apply to a lot of other PHP programs; you'd have to do similar work for files/directories they expect to be writeable. But you'd also have to vet the scripts and make sure they aren't explicitly setting permissions to be 777 on files/directories they create (since now you want them to be set to 755), and make sure they aren't checking purely for "777" when performing "is it writeable" checks rather than using the "is_writable" function.

Hope this helps someone!

I don't know if this will help anyone, but at least it was useful for me. If you don't want to open your 'files' to everybody 777, you can change the owner of the file and keep it writeenabled only to its owner. In my case Drupal uses the www-data user to access the files. So it would be necesary to do this:

$ chown -R www-data sites/default/files
$ chmod -R 0700 sites/default/files

I found it here: http://drupal.org/node/394704

For those who are considering setting up a single user Apache+CentOS+suPHP+cPanel system you may wish to inspect my forum posting collating some reference links relevant to this topic; Support » Installing Drupal: SECURITY CONCERN: reference links: suitability for Drupal CMS of Apache+cPanel+suPHP on single user system (VPS or Dedicated)