Folder Permissions

[Darcy]

Hi. Can anyone tell me if it is ok from a security perspective to change the permissions to 766 on a folder I created, which is outside of public_html? My Drupal installation is giving me error messages if I set the permissions any lower. Thanks!

[cajunman4life]

If it's outside of your public_html, at first glance I would say yes. However, given that something in public_html is accessing it... I'm not completely sure. We'll let someone else offer an opinion as well.

[TweezerMan]

Can anyone tell me if it is ok from a security perspective to change the permissions to 766 on a folder I created, which is outside of public_html?

It depends on what you mean by "ok".

 

At 0766 permissions, any user with an account on the same server as you, or a malicous user who has compromised any account on your server, has the ability to read the directory (list the files it contains), and create or delete files in that directory.

 

Since Drupal is a PHP script, it is running as the user "nobody", and it apparently needs the ability to read and create files in that directory. Assuming you own the directory in question, the minimum permissions to allow this would be 0766.

 

0766 directory permissions are not really secure, but it is the only way you can allow Drupal to read and create the files it needs in that directory.

 

I don't know what you've set up Drupal to use this directory for, but if Drupal only needs to create files in that directory during installation and not afterwards, you may be able to secure the directory further after installing Drupal by restricting the directory to read-only for everyone other than yourself by setting the directory permissions to 0744. I believe this would be the minimum permissions you could set on the directory and have Drupal still work without errors.

 

As always, you should make regular backups of your files and databases so in the event of a compromise, you can restore your account back.

[Darcy]

Ok, that's really helpful information. Doesn't really sound like I should leave the permissions that way permenently. I've found that Drupal won't let me change any other settings if it detects that this folder doesn't exist or isn't writable (oddly, Drupal doesn't even seem to care if the folder can be read--I later tried 722 and that satisfies it), but as far as I can tell the system works fine for me without the folder, so I guess I'll just change the folder to be writable to keep Drupal happy when I want to change settings--which hopefully won't be too often after I get my site set up--then change it back for the rest of the time.

 

Thanks very much for your help!

[flashram]

Darcy as a matter of interest to others who maybe having similar problems and are reading this thread, have you been to the Drupal support forums and done a search on this problem to see if one it is a know issue or two if it is a bug in Drupal ??

[Darcy]

Yeah, I looked at the Drupal forums, and as far as I can tell the fact that this folder has to exist, or else any attempt to change other settings will end in an error, is a known issue, and is not really a bug from their perspective. The need to give world permission to write to the folder is also a known issue, although it sounds like some people don't need to do that for some reason, maybe because of different server setups.

I saw some references to people getting by without this folder existing, but I think they were using an older version of Drupal. Generally speaking, the advice on the forum there seems to be to just set permissions on the folder to 777 and leave it that way. Now that I understand more what that means, I'm kind of surprised people seem so willing to do that.

The folder in question is used by Drupal for allowing files to be uploaded and downloaded by users through the system, and it really is necessary for that feature, although it still seems silly to me that even people who don't want to use the feature that requires the folder have to create the folder and make it writable just to get the Drupal settings page to work properly.

[click]

My understanding is that other users and their scripts should not be able to access your account regardless of the permissions you've set. But, you're right, if you don't even need the feature then why risk it.

[TCH-Tim]

My understanding is that other users and their scripts should not be able to access your account regardless of the permissions you've set. But, you're right, if you don't even need the feature then why risk it.

If it didn't matter, then why would permissions even exist?

 

777 is a bad idea.

[click]

Permissions certainly do matter and affect security and file access. My point was only that on a shared server there should be other measures in place that keep users out of each other's accounts. Most scripts that use mysql databases contain mysql login info in plain text in their source/config files, for example, so you certainly wouldn't want other users to even be able to read them.

 

So, I guess my real question is whether vulnerable scripts in other users accounts can access my account.

No they can not.

I would have to agree, though, that 0777 permissions should be avoided.

[TCH-Tim]

Proper file permissions are your best defense as they are enforced by the operating system. There is no reason to leave it to chance as anyone who has ever gone through a hack and restore will tell you.

 

We do go to great lengths to ensure the security of our servers and all of your accounts. We take abuse very serious and have zero tolerance for offenders. But at the end of the day the security of your account - including keeping scripts up to date, having strong passwords that are changed often, maintaining proper file permissions, and keeping clean backups of all data including databases - is your responsibility.

 

As they say, an ounce of prevention is worth a pound of cure.

[TCH-Don]

*TCH-Don goes off to back up all my sites.