Why we need to change permission

You need to modify the permissions on the "/sites/default/files" directory so that it can be writable by the web server.

There is no anxiety attached to this in the context of your local development installation. For example, when you dealing with a copy of your production site on your laptop, the laptop does not have port 80 open, and the site is not accessible via the Internet. Security is not as important in this context, and you can loosen up file and folder permissions without fear. However, if the installation which you need to fix is accessible via the public Internet, then you have to be careful to set your file and folder permissions correctly. Since your local development code is probably destined to be deployed to the Internet someday, it's a good idea to follow security best practices even in your local environment.

On a typical LAMP hosting stack you will need to check the file and folder ownership. The Drupal installation folders should all be owned by the same user and group. The Apache webserver by default uses the group 'apache' or 'www-data'. However, it will always have a user name, too. This will be identical. So if the LAMP stack is Ubuntu you will find the web server user account is 'www-data' and the web server group name is 'www-data'. It is normal for users with superuser access to add their user account to the www-data group. That is a good basis for setting your Drupal installation folders to the correct ownerships.

You can read a brief intro to Unix file permissions and Securing file permissions and ownership to have more info.

Explanation

Each file or directory has its owner. If you created the file yourself, you're the owner, and you can do virtually anything to the file, including change of permissions. Drupal, on the other hand, is an automated script acting on the system as "apache", "webserver" or some different identity, which is not the same as yours.

When you don't own the file

The same also works the other way: Any files created by Drupal (such as settings.php, or any uploaded and/or temporary files) are owned by the webserver process, and you may be unable to change/remove them if Drupal didn't give the permission. Sometimes it helps to manipulate the parent directory, but mostly in such a case you need to remove the files as root user.

Use safe permissions

To know which permissions are safe, read Securing file permissions and ownership.

It's important to note that the only folder in your Drupal install that needs write permissions is the "files" folder. It is especially important that you ensure that settings.php is set to read-only.

Installation process

When you install Drupal the web server also need write permission on "/sites/default" folder to create the "settings.php" files.

settings.php should absolutely not have write permissions after the installation, neither should the "/sites/default" folder.

Change permission from command line (Linux, Mac OSX)


To GRANT write access to everyone:

  1. Browse to the parent directory using cd [path]
  2. Change permissions using chmod a+w [file-or-folder]

To REMOVE write access to everyone:

  1. Browse to the parent directory using cd [path]
  2. Change permissions using chmod a-w [file-or-folder]

Example:
To make Drupal's sites/default folder writeable...

cd /home/exampleuser/www.example.com/sites
chmod a+w default

Change permission through an FTP client (FileZilla)

We use FileZilla client but with all client you usually need to right-click the file or directory and use some sort of "change permissions" option, depending on the exact application you're using.

When adding write permission:

  1. After logging in to the server, navigate to the the directory or file that needs its permissions changed.
  2. Right-click on the directory/file.
  3. In the resulting menu, click on "File Attributes".
  4. Check all of the "Write" check boxes.

To remove write permissions:

  1. After logging in to the server, navigate to the the directory or file that needs its permissions changed.
  2. Right-click on the directory/file.
  3. In the resulting menu, click on "File Attributes".
  4. Uncheck all of the "Write" checkboxes.

FileZilla Screenshot

Change permission using the OS graphical interface

on Mac OS X 10.4 and earlier

  1. Open a Finder window and navigate to the file or folder
  2. You can see and set permissions by pressing Command-I on your file or directory or...
  3. By control-clicking and selecting Get Info.

OS X screenshot

On Mac OS X 10.5 and later

It's recommended that you modify permissions via the command-line by opening Terminal and using the instructions above.

If you still need to edit permissions via the GUI:

  1. Open a Finder window and navigate to the file or folder
  2. You can see and set permissions by pressing Command-I on your file or directory or...
  3. By control-clicking and selecting Get Info.
  4. Click the lock in the lower right-hand corner of the window to authenticate.

OS X 10.5 screenshot

Comments

edegids’s picture

I think I screw up setting permissions on the default folder... Then I got security warnings and tried to set the correct permissions. But... I couldn't find a complete list of what the permissions to /default and all subfolders should be. After looking in different places, I finally did this:

/default on 755
/default/files including all subfolders and files on 777
/default/themes including all subfolders and files on 755
/default/modules including all subfolders and files on 755
/default/settings.php and /default/default.settings.php on 444

Warning: I don't know if this is correct and really secure, but it works for me. At least I don't get any security warnings anymore.... If I'm wrong, I'd like to know it!

zJoriz’s picture

Thank you very much.

chintamani’s picture

default/ should be 644 or 744 I guess.

Matt B’s picture

I had an issue with a particular host where the web server was set up so that files and folders with lax permissions would not be served. Files had to have a maximum of 644 and folders 711. I found the permissions would change whenever I installed/updated a module or updated the version of drupal. I wrote the following PHP script, which I execute via SSH to recursively set the file and folder permissions correctly.

<?php
//Set permissions of directories to 711 and files to 644 in public_html in current directory.

function SetPerms($dir = ".")
    {
        $listDir = array();
        if($handler = opendir($dir)) {
            while (($sub = readdir($handler)) !== FALSE) {
                if ($sub != "." && $sub != "..") {
                    // found file
                    if(is_file($dir."/".$sub)) {
                        echo "File: $dir/$sub\n";
			chmod($dir."/".$sub, 0644);

                    // found directory
                    } else if(is_dir($dir."/".$sub)){
                        echo "Dir: $dir/$sub :\n";
			chmod($dir."/".$sub, 0711);
                        SetPerms($dir."/".$sub);
                    }
                }
            }   
            closedir($handler);
        }
        return $listDir;   
    }

SetPerms("public_html");
?>
pcorneillie’s picture

Great. Thx for the script.
I made a huge mistake the other day by doing chmod 777 ./* but on my production server and not on my test server (shame on me, having all those consoles open).
I didn't know where to look to know which settings were the right ones.
I hope this will not get me into problems or are the some very specific settings not done or necessary?

smira’s picture

reference this document for all your permission needs.

gagarine’s picture

Securing file permissions and ownership -> http://drupal.org/node/244924

https://interface-network.com - Interface Network is an action and research technology governance agency.