Home » Getting Started » Troubleshooting FAQ » Webhosting issues

What permissions does Drupal need?

Now that you know which user the webserver runs as, you'll need to make sure your file and directory permissions are set properly. If you set them too tight Drupal won't run properly or even at all. Too loose and you run a higher risk of security breaches.

Most of the time, any files you upload should end up with the correct permissions to run a basic Drupal site. Your webhost will have set the default permissions so they will be able to be read by the webserver.

Where things get trickier is with the infamous 'files' directory. If you install or enable modules that upload files or images, they get stored under this directory. To do this, the webserver will need write access to this directory. What this also means is that any files you upload will be owned by the webserver user account and may not be able to be moved or deleted any more by your FTP client or control panel as you might not have enough permissions. In most cases don't worry about this too much, but if you really have to delete some of these files manually there are ways around the problem by uploading your own PHP scripts for the webserver to run and change the permissions.

Basic summary of file permissions for a Drupal installation:

All the Drupal files (eg .php, .module, .css, .theme and images etc) will need to be able to be read by the webserver account. The 'files' is generally the only directory will need to be writable by the webserver account.

If you get error messages complaining about missing files, or not being able to open/read a file etc and you know that the file really is there - chances are that the webserver doesn't have read permissions for it. Recheck the permissions on subdirectories etc.

Ideally your settings.php file won't be world readable as it contains your database connection string (with password). But sometimes you can't avoid it if making it world readable is the only way your webserver can read it.

Along similar lines, ideally for security reasons you won't have to make anything world writable. But on a lot of webhosts it is hard to avoid having to make the 'files' directory world writable. What ever you do don't go making anything other than the 'files' directory world writable. That makes it easy for other users to overwrite your Drupal files.

If it is possible through your admin interface it can be useful to assign the group ownership of the 'files' directory to the group the webserver runs as, and allow group write access. This improves security a bit by not requiring the directory to be world writable.

Quite often you will hear people talk about setting permissions to 777 which is no restrictions at all. While that is a good way to isolate any permissions issues when troubleshooting, you should try to tighten the permissions back again afterwards if possible. Preferably you wouldn't need to use 777 permissions anywhere.

Another thing to keep in mind is that a permission setting only tells part of the story about access - when troubleshooting it is also important to know who the owner and group are, and well as which user the webserver runs as.

‹ What do all those Unix commands mean?upWhy is this uploading stuff so difficult? ›
» Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.