Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By jmseigneur on
Dear all,
At the moment, all my Drupal files and directories are readable by anybody because I've used a chmod -R 755 to be able to see the Drupal pages. I'd like to know which files and directories should left readable. For example, configuration files are readable from the Web by anybody who knows their path. Could you point me to a document explaining which files and directories really need to be readable by anybody?
Many thanks in advance.
Comments
All useful files, containing
All useful files, containing code or settings, *must* be readable by the web server. This usually means at least 755 for the directories and at least 644 for the files.
This does not mean that anyone who knows their web path can read them. Try it and see if you can.
- The settings.php file (which contains the database name/password) is a php file, and the web server does not just show the content of php files. It passes them to php for processing.
- There is some code in Drupal's main .htaccess file which can protects some file types from prying eyes.
Concerning Drupal's main .htaccess content
Thanks for your quick answer.
Concerning the "Drupal's main .htaccess file which can protects some file types from prying eyes", I've copied its content in /etc/apache2/sites-available/default because I set up in this file AllowOverride None as recommended by Apache (Directory instructions are specified instead in this file) and thus .htaccess files are not used. Is it fine?
If the apache directives do
If the apache directives do work that way, then of course it is fine. There is only one way to be sure. Try to access one of those files.
That said, I am not sure why you should consider
AllowOverride Nonea recommended setting. Specifying per directory settings with .htaccess seems so simple.AllowOverride None a recommended setting
"That said, I am not sure why you should consider AllowOverride None a recommended setting" because of the the text below, which is copied from the Apache documentation at http://httpd.apache.org/docs/1.3/howto/htaccess.html :
"In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things."
Forbidden 403 if I use # Protect files and directories
When I uncomment in .htacess this strings
#
# Order allow,deny
#
I cant get access to admin and site - Forbidden 403.
If they are comment, all works fine. What is the reason?
This is how it is supposed
This is how it is supposed to work. Look here for an explanation of
allow,denyhttp://httpd.apache.org/docs/2.0/mod/mod_access.html
However I don't think the directives in your question exist in the .htaccess file of either D6 or D5, except in the beginning, in the part where Drupal tries to protect some file types.
Goog answer, thanks
Thank You for answer, link was useful. But I spend 4 hours for gain an understanding this deal...
May be it need to include in install.txt????? :)
Related??
Hey guys,
I'm not 100% sure if this is related, but I've looked around and haven't been able to find much.
I have my Drupal file system set to sites/default/files, using the 'Public' download method.
Access of files and everything is fine, however, the site (via user registration) generates a folder within sites/default/files for each individual user (uid) and stores user specific files there.
The problem im having, is when user #75 (for example) accesses their file(s) at sites/default/files/75/file.pdf there is nothing stopping them manually changing that id (in the address bar) and accessing mr/mrs's 73 files. A BIG no no in terms of security.
Any ideas lovely Drupal people ?
C
If you are using Drupal's
If you are using Drupal's "public download method" it is hard to selectively restrict access by Drupal user. Any valid html link in your content is served directly by the web server to the browser. Drupal has no say in this, and normally the web server knows nothing about Drupal users.
One solution is to make all files inaccessible from the web (by moving all of them somewhere off the web or with a
deny from all.htaccess directive) and then use Drupal's "private download method" to have Drupal read the files and serve them to authorized users through virtual paths (/system/files/somepath/filename).Or maybe you could look for a way to combine Apache password authentication with Drupal users. (I don't know how.)
Thanks!!
Thanks cog.rusty,
Muchly appreciated feedback!
I will look into it and post with how I get on!
C.
May be I am very late to this
May be I am very late to this discussion but here is what I will do
a) hash the file name and store it in a protected directory not accessible to outside world but only to sever
b) store the hashed name and other related info in db and map the name to users
c) create a virtual path which actually points to some script that reads the file and outputs(in plain English echo-es) it with proper headers
The script in point c can be exposed only to authorised users. I am not a Drupal expert but as Drupal is so wonderful thing there must/will be a module to do this. :-)