Keeping Drupal’s Files Safe

Keeping Drupal’s Files Safe

The Black Art of File Permissions

When Drupal users deploy their first (or second, or tenth…) site to a real web server, one of the most common points of confusion is the proper access permissions for the files directory and settings.php. Because the files directory stores uploaded content from the site’s users, badly configured permissions are a potential security risk. Lock it down too tightly, though, and managing backups or future migrations can be a pain.
My standard starting point when creating a new Drupal site on a server is to create or select an existing user that is a part of the web server group (typically the Apache group), and give ownership of all Drupal files to that user. On Ubuntu, these are the commands to get that set up:
(
  # Create a new example user.
  useradd -s /bin/bash -m example;

  # Now add that user to the Apache group. On Ubuntu/Debian this group is usually
  # called www-data, on CentOS it’s usually apache.
  usermod -a -G www-data example;

  # Set up a password for this user.
  passwd example;
)
Once I have that set up, I’ll log in as the user and install Drupal at /var/www/example/docroot or a similar path, then create the files directory by hand and copy over the settings.php file. Since we log in as our example user before copying in Drupal, our file ownership and permissions should automatically be properly configured on all the core Drupal files and scripts (including .htaccess files).

Leave a Reply

Your email address will not be published. Required fields are marked *