I have a few Drupal installation on my dedicated host. I'm not a Linux guru and am worried that my file permissions are very wrong. They are as below. In this example user btn is a user account such as /home/btn

www:
drwxr-x--- 10 btn nobody 4096 Nov 24 18:51 .
drwx--x--x 9 btn btn 4096 Oct 9 09:49 ..
-rw-r--r-- 1 btn btn 3823 Nov 5 10:37 .htaccess
-rw-r--r-- 1 btn btn 38574 Oct 5 13:50 CHANGELOG.txt
-rw-r--r-- 1 btn btn 981 Oct 5 13:50 COPYRIGHT.txt
-rw-r--r-- 1 btn btn 1308 Oct 5 13:51 INSTALL.mysql.txt
-rw-r--r-- 1 btn btn 1075 Oct 5 13:51 INSTALL.pgsql.txt
-rw-r--r-- 1 btn btn 15646 Oct 5 13:50 INSTALL.txt
-rw-r--r-- 1 btn btn 18064 Oct 5 13:51 LICENSE.txt
-rw-r--r-- 1 btn btn 1978 Oct 5 13:50 MAINTAINERS.txt
-rw-r--r-- 1 btn btn 5002 Oct 5 13:51 UPGRADE.txt
drwxr-xr-x 2 btn btn 4096 Oct 5 13:40 cgi-bin
-rw-r--r-- 1 btn btn 262 Oct 5 13:51 cron.php
drwxr-xr-x 2 btn btn 4096 Oct 5 13:45 includes
-rw-r--r-- 1 btn btn 980 Oct 5 13:51 index.php
-rw-r--r-- 1 btn btn 46850 Oct 5 13:50 install.php
drwxr-xr-x 3 btn btn 4096 Oct 5 13:51 misc
drwxr-xr-x 35 btn btn 4096 Oct 5 13:46 modules
drwxr-xr-x 3 btn btn 4096 Oct 5 13:51 profiles
-rw-r--r-- 1 btn btn 1720 Nov 5 10:46 robots.txt
drwxr-xr-x 2 btn btn 4096 Oct 5 13:51 scripts
drwxr-xr-x 4 btn btn 4096 Oct 5 13:51 sites
drwxr-xr-x 9 btn btn 4096 Oct 5 16:22 themes
-rw-r--r-- 1 btn btn 25244 Oct 5 13:51 update.php
-rw-r--r-- 1 btn btn 352 Oct 5 13:51 xmlrpc.php

www/sites:
drwxr-xr-x 4 btn btn 4096 Oct 5 13:51 .
drwxr-x--- 10 btn nobody 4096 Nov 24 18:51 ..
drwxr-xr-x 3 btn btn 4096 Oct 8 14:02 all
drwxr-xr-x 3 btn btn 4096 Oct 26 21:52 default

www/sites/default:
drwxr-xr-x 3 btn btn 4096 Oct 26 21:52 .
drwxr-xr-x 4 btn btn 4096 Oct 5 13:51 ..
-rwxr-xr-x 1 btn btn 8917 Oct 5 13:51 default.settings.php
drwxr-xr-x 4 nobody nobody 4096 Oct 9 09:46 files
-rwxr-xr-x 1 root root 8917 Oct 5 13:59 settings.php

I get the feeling this is all very wrong!

Comments

laceiba’s picture

> I get the feeling this is all very wrong!

Why do you feel that way? Have you run into any problems?

dman’s picture

As it stands, it looks secure enough.

www/sites/default:
drwxr-xr-x 3 btn btn 4096 Oct 26 21:52 .
drwxr-xr-x 4 btn btn 4096 Oct 5 13:51 ..
-rwxr-xr-x 1 btn btn 8917 Oct 5 13:51 default.settings.php
drwxr-xr-x 4 nobody nobody 4096 Oct 9 09:46 files
-rwxr-xr-x 1 root root 8917 Oct 5 13:59 settings.php

is the only bit that counts.
What I can't figure is how you got it in that state in the first place without some sudo changes.

drwxr-xr-x 4 nobody nobody 4096 Oct 9 09:46 files

is correct - and the only 'insecure' part. By design.

-rwxr-xr-x 1 root root 8917 Oct 5 13:59 settings.php

is odd. I'd expect 'btn' ownership. But it's safe.

www:
drwxr-x--- 10 btn nobody 4096 Nov 24 18:51 .

is not very normal, I'd expect global r-x there, but it will work fine.

No worries.

.dan.
if you are asking a question you think should be documented, please provide a link to the handbook where you think the answer should be found.
| http://www.coders.co.nz/ |

ooboodoo’s picture

Thanks for the replies.

The only time I do a chmod is at install. I chmod sites to 777 then to 755 after install. The reason I was concerned was because of all the files that were writeable by world but now I realise that it's OK as the directories higher up in the hierarchy are not writeable to world.

The full procedure is:

create an account in Web Host Manager
upload drupal files to home/aUser/www
chmod -R 777 sites
Install drupla
chmod -R 755 sites

I don't get why all user account are owned by root. User btn is owed by root shouldn't it be owed by it's self?

I think I had better invest some time on learning unix users, groups and permissions.