Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By tmccartney on
I'm trying to get a new Drupal install up and running, and I'm getting the following bright pink warning at /admin/settings/file-system:
warning: is_file(): Stat failed for sites/default/files/.htaccess (errno=13 - Permission denied) in /home/fhlist/public_html/includes/file.inc on line 127.
warning: fopen(sites/default/files/.htaccess): failed to open stream: Permission denied in /home/fhlist/public_html/includes/file.inc on line 129.
Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your sites/default/files directory which contains the following lines:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
The only way to make this error go away is to set the permissions for sites/default/files to 777. I KNOW that can't be right, as it would appear to be a huge security problem. Further, on a Drupal site I run on a different host, the permissions for that folder are 755.
Can someone point me in the right direction? Thanks!
Comments
=-=
first let's try to deal with the idea that 777 is a security risk in an of itself.
- Isn't this a security risk?
The short answer is: no, not really... it isn't. Keep reading for the long answer.
- So, what, you're saying EVERYTHING should be 777?!?
Not hardly. Just some things in the forum's directory. Not, of course, that you should do so with the entire directory - but it won't matter much if you do, so long as your server is configured reasonably correctly.
- But... wait a minute. The three numbers stand for "Owner," "Group," and "Everyone." Doesn't that mean anyone can write to the files if I make it 777? (writable by all!?)
Well, technically, yes. But, the person first has to get into your server and be able to touch the file in the first place. They also have to have access to the directory the file is in, and the directory that file is in. At some point, you should have a directory which isn't 777. Which is likely why the /default/ folder isn't 777.
- Isn't it safer, at least, not to use 777? What if a hacker got in?!
If a hacker gets in and wants to cause you trouble.... there is nothing you can do. You can have the file permissions as strict as you want, but the database will be wide open. So, yeah... you can protect the files that don't change from being deleted, but not your data.
- Isn't it unlikely a hacker would get into my server so much they could delete files?
Not that unlikely, but no more or less likely than if they could use 777 to their advantage. Think of the database as ALWAYS 777.
- I believe you, but my host doesn't. They don't want me to make everything 777, they say it's not safe.
So have them read this. If they can't refute it, prove it wrong, or at least even challenge it then I guess they have to let you do 777
Which leaves 777, 775, 770 or 755. One of those would be correct. If 777 is the only one that works for you, then it should be 777 to ensure drupal works correctly. Beyond the information provided here, it may be fruitful to ask your host.