By davmorr on

One of my coworkers transferred a Drupal 6 site from a development server to a production server two weeks ago. We were informed today by the web host admin that it appears that there are some directories that should be have tighter security permissions applied. We are assuming that something happened during the site migration and somehow some of the permissions were dropped in transit. Is there a way to restore default directory permissions or a reference we can consult so that we can do get about chmoding manually. I have searched around, but haven't turned anything up.

Thanks!

Categories: Drupal 6.x

Comments

cog.rusty’s picture

cog.rusty commented

The general guidelines are:
- all files and directories must be readable by the Apache user account,
- the uploaded files directory and all its subdirectories must be also writable by the Apache user account.

The correct permissions depend on
- whether Apache suexec is installed
- whether Apache is in your user account's group
- who is the owner of particular files or directories (for example the file uploads directory). Since you moved the files, probably now you are the owner of everything.

On most shared hosts none of the first two are true, so all directories must be 755, all files must be 644, and the files directory and its subdirectories must be 777.
If Apache is in your user account's group, these can be 750, 640, and 770, respectively.
If suexec is installed, Apache can write as if it were you, so all directories can be 700 and all files 600.

Some useful commands to do the changes: (Let's take the first case.)

chdir /home/blah/drupal
find . -type d | xargs chmod 755    // make all directories 755 everywhere under Drupal
find . -type f | xargs chmod 644    // make all files 644 everywhere under Drupal

chmod 777 files                     // assuming the uploaded files are in this subdirectory
chdir files
find . -type d | xargs chmod 777    // some modules may have subdirectories for images etc
find . -type f | xargs chmod 666    // files now owned by you - modules may need to overwrite them

Also, as a security measure (I have no idea why), drupal write-protects the sites/default directory and the sites/default/settings.php file (if it can) from everyone, even from your own user account. That should be all.