Last updated October 9, 2013. Created by chx on September 25, 2013.
Edited by heddn. Log in to edit this page.

Drupal 8 heavily relies on generated PHP files. This obviously raises security concerns: if an attacker is able to affect this, arbitrary PHP code might be run. Not just by reaching the generated PHP file via a web browser but also by Drupal including it.

Drupal 8 offers several solutions to this problem: it is possible to generate PHP files in a staging environment and on production use a read only storage class. Also, the default storage class uses a special file name for the dumped code. This file name is a hash from a secret and the containing directory modification time. On read, it also checks that the file modification time is not larger than the directory modification time. These combined mean that although the default storage permissions lets anyone write the compiled files, when they are opened and written, the hash immediately becomes invalid. Similarly with deleting the file and writing a new file under the same name. The secret is stored together with the database credentials in settings.php so if the attacker can learn that secret the site is already compromised.

Here are some permissions someone might want to set from the docroot of Drupal.

sudo chown -R MYUSER:www-data *
sudo find . -type d -exec chmod 755 {} \;
sudo find . -type f -exec chmod 640 {} \;
sudo find sites/default/files/config* -type f -exec chmod 664 {} \;

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.