Drupal: "All necessary changes to ./sites/default and ./sites/default/settings.php have been made, so you should now remove write permissions to them. Failure to remove write permissions to them is a security risk."

User: "That sounds scary. Uh... How do I remove write permissions?"

Comments

ChrisKennedy’s picture

ChrisKennedy commented
Title: Unhelpful error message in installer » Improve security notice in installer

Let's be positive here - that notice is more useful than nothing (Drupal used to not display any notice), but I agree with you that it could be better.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

Actually, the initial notice of requiring write permissions is similarly non-specific:

"The Drupal installer requires write permissions to ./sites/default during the installation process."

Note that these same types of messages are also in admin/logs/status and need to be changed there as well.

Can I get confirmation that the write permissions is 777 and the read permissions is 755? Anyone feel up to writing a "for dummies" guide on how to chmod files for the handbook, to which we can refer? Or is there one already?

julien’s picture

julien commented
Status: Closed (duplicate) » Active

if you do a chmod 755 file, the first number 7 means write, read, execute rights for the owner, the second is for the group, the third for others.
the read right have a value of 4, the write value of 2, and the execute value 1, so for the owner the first number, is 7 so it have write, read and execute.
if the second number, the group of the file, here 5, it means that it have the read right and the execute right, because 4+1 = 5
it's the same operation for the last ones for the right attribute to others..

Anonymous’s picture

Anonymous (not verified) commented

I thought the installer already set the settings.php file to 444. Setting the directory containing settings.php to 755 makes sense. I say "containing settings.php" for those multi-site installs. For the documentation we could state it more like this.


To maintain security for your web system the install system sets the settings.php file to read only. You should make sure the directory containing the settings.php file is read+write+execute privileges for the owner and read+execute privileges for everyone else.

We have different operating systems to support so the mention of chmod isn't correct except to give UNIX examples.

<example os="UNIX" site="default">
chmod 444 sites/default/settings.php
chmod 755 sites/default
</example>

<example os="WINDOWS" site="www.sample.com">
attrib +R c:/drupal/sites/default/settings.php
</example>
keith.smith’s picture

keith.smith commented
Status: Active » Closed (duplicate)

Duplicate of http://drupal.org/node/145335

Status: Active » Closed (duplicate)

Correcting issue status, see #2125263: Issue status not taken from last comment during D7 migration.