Cannot add/remove directories/subdirectories in /public_html/sites/default/files
r_honey - July 4, 2009 - 09:23
I was trying to add a sub-folder in /public_html/sites/default/files through cPanel's built in file manager. Although it showed no error, on refreshing the directory, the folder I specified was NOT there.
I tried deleting the .htaccess file in that folder, again it could not be deleted. Trying to change its permissions to anything gave the following error in cPanel:
FileOp Failure on: /public_html/sites/default/files/.htaccess
I am effectively locked out of this folder. I cannot create/edit/remove files/folders from under it. The htaccess contants are as follows:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
Any help would be greatly appreciated.
Here is the security page for
Here is the security page for that patch
http://drupal.org/node/65409
> Trying to change its permissions to anything gave the following error in cPanel
Try to chmod it using an ftp client (and/or ssh if you have it active in cpanel).
Once you can write to it, comment its content out like this:
# SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
# Options None
# Options +FollowSymLinks
If I remember correctly, you can't just remove the htaccess file or delete the lines,
as it all gets regenerated. Commenting out seems to work though.
Also check that your default/files directory has 664 (or maybe it needs 755) chmod
If that fixes your problem, you then have to decide what you're going to do about this.
I can't find any answers myself and decided that there is no point having a secure /files
directory if you can't serve files from it. So I left the directory at 755 chmod and left the
htaccess lines commented out. I really have no idea how insecure this is; there appears
to be many unanswered questions in the forum about this patch.
As I see it, default/files
As I see it, default/files has 775 perms.
Currently, I was able to upload files & create sub-directories to this directory through Drupal's admin interface. So, instead of creating a security hole by commenting out those lines, I currently am inclined to leave it as it is.
Probably, later when I need to upload files manually, I might comment them out, and then recomment it after my work is done.
The information available on the link you provided:
"configurations of Apache allows execution of
carefully named arbitrary scripts in the files directory"
does not provide much information of the security issue. On the surface, the above line looks pretty much of concern to me to comment out those lines.
--
I always think tomorrow will have more time than today.
And every today seems to pass-by faster than yesterday.
http://www.rahulsingla.com
> 775 775 is ok too; I think
> 775
775 is ok too; I think that's what later version of drupal use by default during installation.
> On the surface, the above line looks pretty much of concern to me to comment out those lines.
It depends what 'typical' apache set-up they are talking about.
The security bulletin is ridiculously vague and unhelpful.
And the patch itself is obviously server dependent.
Not a job well-done IMO.
If you search drupal.org for SA_2006_006, there are lots of unanswered questions about it.
Be aware that this htaccess file also seems to break some modules that try to use the /files directory.