Drupal requires write permissions to the files directory and the temp directory to enable features such as file uploads, CSS aggregation, and the upload of a new logo for the theme. However, it is a dangerous mistake to simply let Drupal have permission to write to all of the files inside the document root on your web server. Doing so would allow Drupal to write files that could then be executed. Again, you endeavor to audit your site and never let an attacker upload PHP code, which could be executed. However, if there is a vulnerability that allows an attacker to upload a PHP file, using proper file permissions that keep your files read-only for the web server will provide Defense in Depth that would prevent the vulnerability from becoming exploitable.
What are the specific permissions? It depends on your server setup, but here is one example. Following a default installation with Drupal 6, the file settings.php and a directory for files have been created inside the sites/default directory:
[drupalhost]$ ls -l total 28
drwxrwx--- 5 www-data maintenance 4096 Aug 19 16:04 files
-r--r----- 1 www-data maintenance 8971 Aug 19 15:41 settings.php
The web server on this server runs as the user www-data, and there is a server group called maintenance, which is assigned to members of the server maintenance team. The specific directory permissions allow the www-data user to read the settings.php file but don't allow anyone else to read or edit it. If it needs to be edited, a user will need to first use a command like sudo chmod g+w settings.php to change the permissions and allow the maintenance group to edit the file. The files directory is set so that www-data and members of the maintenance group can read and write files in it.
Now a look at the permissions in the root of the Drupal installation:
-rw-rw-r-- 1 greg maintenance 39359 2008-08-25 08:45 CHANGELOG.txt
-rw-rw-r-- 1 greg maintenance 978 2008-02-06 12:48 COPYRIGHT.txt
-rw-rw-r-- 1 greg maintenance 487 2008-05-26 11:24 cron.php drwxrwxr-x 2 greg maintenance 4096 2008-08-25 08:45 CVS
drwxrwxr-x 3 greg maintenance 4096 2008-06-21 13:21 database drwxrwxr-x 3 greg maintenance 4096 2008-06-21 13:21 files drwxrwxr-x 3 greg maintenance 4096 2008-08-25 08:45 includes
-rw-rw-r-- 1 greg maintenance 979 2008-08-25 08:45 index.php
As you can see, the rest of the site is set with permissions that allow the maintenance team to update the site but will prevent the web server from editing or overwriting files. Because all the code for a typical Drupal site is available on drupal.org, there is little point in trying to prevent other users on the system from reading it (for example, by making the files above rw-rw----). The only file that needs to be protected in this manner is the settings.php file, which contains the database login credentials.
Was this article helpful?