By terkibibend on

Hi all,

I couldn't find detailed documentation about Drupal file permissions.

On my test server centos is running. Apache web server running as nobody. Drupal core files uploaded via ftp so core files owner is another linux account. Authenticated users posting content by using imagecache and fckeditor. All files sent by users over drupal has 664 permission. I think so this is dangerous.

Regarding to this scenery:

1. Is 444 enough for user uploaded files?
2. How can i make default permission to 444 user uploaded files via imagecache and fckeditor? (include/files.inc??)
3. Can you suggest a secure file storage idea?

Many thanks

Categories: Drupal 6.x

Comments

cog.rusty’s picture

cog.rusty commented

With 444 everyone can read them the files but noone can modify or delete them without chmoding them first. Well, any php script running as user 'nobody' can do just that.

Why do you think that 664 is dangerous?

To answer the general question,
(a) most people running sites use 644 or 664 for all drupal's files and 755 or 775 for drupal's directories (all must be readable by apache), except possibly the uploads directory .

(b) for the uploads directory the use either 777 if they have installed PHP as mod_php and PHP writes using apache's user account, or 755 if they have installed PHP as CGI with some kind of suexec solution and PHP writes using their own user account.

Usually they add some additional protection to settings.php and its containing directory after they set them up, with 444 and 555 respectively, to make them read-only.

terkibibend’s picture

terkibibend commented

When you upload your Drupal files by FTP, owner of these files is linux user for FTP account. When you upload a file by using drupal user, owner is "nobody".

In permissions, first decimal right (6 for 644) indicates file owner right. Third decimal (4 for 664) indicates all others' right including nobody.

So if you upload a file by FTP it is secure because "all others" has only read permission (4).

But files uploaded by drupal users are insecure because they have read/write permission (6)

cog.rusty’s picture

cog.rusty commented

The ability of PHP to write is essential for file uploads with PHP. There is no way around that on web sites.

I guess you are worried that other user accounts can use a PHP script to have apache write to your files. That is why there are PHP mechanisms such as
- open_basedir restriction: a user's PHP script can tell apache to read/write only in some specified directories, usually /home/accountname, /tmp, and some essential system directories. Sometimes awkward when need arises to include various OS libraries from time to time, but it works.
- the so-called safe_mode: a PHP script owned by you can't write in a directory owned by apache, even if PHP writes as the apache user. This has proved so secure that it is useless for the web and has been removed from PHP 6. (PHP creates subdirectories owned by apache but can't write files in them.)

There is also the possibility to have PHP write files using your own user account and not 'nobody', if you install PHP not as mod_php but as cgi/fastcgi and then install suphp or some suexec-based package. In that case, your own PHP scripts will create files which have permissions 644 but are owned by you, and they will also be able to modify these files. This is probably the most secure solution but has a serious performance penalty.

terkibibend’s picture

terkibibend commented

thank you very much. This is good idea:

"There is also the possibility to have PHP write files using your own user account and not 'nobody', if you install PHP not as mod_php but as cgi/fastcgi and then install suphp or some suexec-based package. In that case, your own PHP scripts will create files which have permissions 644 but are owned by you, and they will also be able to modify these files. This is probably the most secure solution but has a serious performance penalty."

fduppa’s picture

fduppa commented

# ) I really wasn't sure if I should open a new one.. but since the issue is _almost_ the same..

I was having some issues with permissions about file.inc ...
and solved it by doing the following:

cd /var/www/drupal
chmod -R 755 *
chmod 444 sites/default/settings.php
chmod 555 sites/default

is this secure? thanks :-)

cog.rusty’s picture

cog.rusty commented

That's about right. Or better, begin with: 

cd /var/www/drupal
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod 644

since files don't need the 755 "execute" bit, only directories do.

If you can upload files in Drupal, everything should be OK. If you can't, then you may need to change the permissions in your "files" directory.

fduppa’s picture

fduppa commented

Thank you very much, Sir ! :-)

doomed’s picture

doomed commented

well, this is useful!

gagarine’s picture

gagarine commented

The documentation you looking for "Securing file permissions and ownership " -> http://drupal.org/node/244924

https://interface-network.com - Interface Network is an action and research technology governance agency.