Tuesday, January 15, 2013

WINDOWS SECURITY

http://drupal.org/node/244924


Community Docs HomeInstallation GuideAdministration Guide

Securing file permissions and ownership

Last updated December 28, 2012. Created by lsrzj on April 10, 2008.Edited by likewhoa, ghoti, JohnNoc, NadimBak. Log in to edit this page.The server file system should be configured so that the web server (e.g. Apache) does not have permission to edit or write the files which it then executes. That is, all of your files should be 'read only' for the Apache process, and owned with write permissions by a separate user.As a quick test to confirm whether your site is secure or not you can run the Security Review module.Note that this whole article is about "defense in depth." Drupal can run quite safely with permissions a little "looser" than they should be. But if an administrator account is compromised by an attacker or an attacker gains the ability to execute arbitrary code then the configuration below will limit their ability to further exploit your site.

Configuration examples

For example, on many systems the Apache process runs as a user called "www-data" that is in a group called "www-data". This user should be able to read all of the files in your Drupal directory either by group permissions or by "other" permissions. It should not have write permissions to the code in your Drupal directory. If you use features of Drupal which require the "files" directory, then give the www-data user the permission to write files only in that directory.Following is an example file listing of a safe configuration showing two files in a site where uploaded files are stored in the "files" directory. In order to see the file permissions set for your set-up, go to the command line and type: ls -al.drwxrwx---  7 www-data    greg-group  4096 2008-01-18 11:02 files/drwxr-x--- 32 greg-user   www-data    4096 2008-01-18 11:48 modules/-rw-r-----  1 greg-user   www-data     873 2007-11-13 15:35 index.phpIn the above example, the web server user has the ability to write in the files directory, any users in the group "greg" can read and write the data as well, but other users are not allowed to interact with that data. The "index.php" file (representative of all code files) can be edited by "greg" and can be read by the www-data group (we assume the www-data user is in the www-data group). No other users can read that file. This is a fairly secure method of configuring your site. You generally don't want random users who have the ability to read files on your server to see inside those files, hence the last three permissions are --- instead of r-x.Below is an insecure setup:NOTE: THIS IS AN INSECURE CONFIGURATIONdrwxrwx---  7 www-data  www-data  4096 2008-01-18 11:02 files/drwxrwx--- 32 greg-user www-data  4096 2008-05-16 11:48 modules/-rw-rw-rw-  1 www-data  www-data   873 2007-11-13 15:35 index.phpThis configuration allows the www-data user to edit the index.php file (and since it is representative of other files, we assume every file that makes up the Drupal site). This configuration is dangerous for the reasons outlined below. If you are using a configuration like this, please change it immediately to be more like the first version. Instructions for making the necessary changes are given below for Linux Servers.

Quick lesson in permission's numeric equivalents

On Unix-like servers (including Linux), permissions for files and directories can be specified using letters (e.g., "r" for read, "w" for write, and "x" for execute bits) or numbers. The numbers 4, 2, and 1 are conversions of these bits from binary, and correspond directly to read, write, and execute. The instructions below use the alphabetic notation because it is easier to read, but you often will see permissions given in numeric notation in the Drupal Handbook and many other How-Tos. Below are examples of the alphabetic notation and the numeric equivalent:rwx  ==  111 binary  ==  7r--  ==  100 binary  ==  4---  ==  000 binary  ==  0Unix filesystems assign permissions to three different categories of possible users -- owners, members of a security group defined on the server (e.g., using the groupadd command in Linux, the pw command in FreeBSD or the dseditgroup command in OSX), and everyone else. Each of these categories is assigned permissions using the alphabetic or numeric notation explained above via the chmod command.The permissions for a file or directory can be displayed using the ls -l command. The display shows file or directory permissions in the first column in alphabetic notation. The first character indicates the type of directory item, with a "d" whether the file system entity is a directory; a "-" is shown if the entity is a file. The next three letters show the permissions for the user-owner of the file or directory. The next three letters show permissions for the group-owner of the file or directory. The last three letters show the permissions for everyone who is not the user-owner or a member of the group that owns the file or directory. For example:drwxr-x--- 10 joe     www-data    4096 Oct 15 14:15 ./drwxr-xr-x 13 root    root        4096 Oct 11 14:50 ../-rw-r-----  1 joe     www-data    6553 Aug  1 12:27 authorize.php-rw-r-----  1 joe     www-data   70700 Aug  1 12:27 CHANGELOG.txt-rw-r-----  1 joe     www-data    5267 Oct 12 22:47 .htaccessdrwxr-x---  4 joe     www-data    4096 Oct 15 14:23 includes/-rw-r-----  1 joe     www-data     529 Aug  1 12:27 index.phpSo, in the listing above, the index.php file is owned by the user joeand the group www-data (usually the name of the Apache user and group on Debian-based systems). The permissions allow joe to read and write the file but allow users in the www-data group only to read the file (except joe, of course, who has owner permissions).

Addendum on chmod Non-Numeric Permission Notation

When used in the chmod command, the symbols below have the meanings given:"+" = add a permission to the ones already assigned"-" = revoke a given permission maintaining the others already assigned"=" = ignores the already assigned permissions and assigns the permissions specified"u" = user"g" = group"o" = others"a" = everybody (user, group, others)For files:r = readw = writex = executeFor directories:r = list (read directory contents)w = writex = can access the directory (i.e., cd to the directory)Using chmod without numeric values makes it more human-readable. These are some examples of how to use it:chmod commands and results for a file with permissions rwxrwx--- (770)chmod humanchmod numericresulting permissionugo=rwx777rwxrwxrwxu-wx470r--rwx---o+r774rwxrwxr--g-wx,o+r744rwxr--r--u-w,g-wx,o+r544r-xr--r--g=,o=r704rwx---r--a-wx440r--r-----Note: Because of the way Unix filesystems work, all files and directories created by the Apache server will be created with an owner that is the same user as is running httpd. In Linux, you can handle this with a tool that is good to be used called fsniper. It uses iNotify to check for newly created/modified directories and files and you can apply whatever action you want through customized scripts on them in real time. So you can create scripts to change ownership of files and directories automatically. This solution doesn't work (and isn't required) in Microsoft Windows because of NTFS "permission inheritance".

How insecure permissions are a problem

If you allow your site to modify the files which form the code running your site, you make it much easier for someone to take over your server.Worst case scenario: a file upload tool in Drupal allows users to upload a file with any name and any contents. This allows a user to upload a mail relay PHP script to your site, which they can place wherever they want to turn your server into a machine to forward unsolicited commercial email. This script could also be used to read every email address out of your database, or other personal information.Undesirable scenario: if the malicious user can upload a file with any name but not control the contents, then they could easily upload a file which overwrites your index.php (or another critical file) and breaks your site.Undesirable scenario: if the code allows users to see the contents of files, attackers could see information which might reveal potential attack vectors.

If you are a sysadmin

Disclaimer: Don't you dare to follow this instructions blindly, each system has it's own particularities and, because of that, instructions here MUST be altered to suit your needs. All of the instructions herein written are aimed for people who knows deeply about filesystem permissions and knows exactly what all the commands written here means. If you try to follow these instructions not paying full attention on what you are doing, there is no doubt that you will be in a huge trouble. As this manual is aimed to alter filesystem permissions, and this is a root task, I'm sure you know what I'm talking about!

Note for hosted Drupal installations

This installation method presumes one shared drupal core and many subdomains installed under it. So suppose you are the owner of a hosting service that has a Drupal already pre-configured and you want to sell a hosted Drupal site with pre-configured Drupal core to your clients. So when you sell it, you create their user on the server and let them configure their own Drupal site just entering their site's address to open the install page. The way this document suggests the configuration, it will prevent customers from modifying and accessing the Drupal core files and other customer's sites files and directories.It's important to notice that the user ownership of Drupal's core directories/subdirectories and files is given to the user who administrates Drupal (usually root) and group ownership is given to the group your apache is running on. For files and directories inside the "sites" directory the user who is hosting the site on your server is their owner. One way to do this is to delete the "sites" directory under Drupal's root directory and make it a symbolic link to /home or other path you use to store user's home directories. That way, if you create user names that matches the customer's site URL, no permission will need to be changed. The only thing to be done is to change the directory group ownership to the group your apache is running on.cd /path_to_drupal_installationmv sites/* /homermdir sitesln -s /home sitesuseradd www.example.comchown -R www.example.com:www-data /home/www.example.comThe apache permission is given through group permission and others have no access at all to any files and directories on a Drupal installation. Don't give in any way permission to others, otherwise if your system is hacked through a weak password of a given user, the hacker will access all files and directories of all installed sites on your server not only the one invaded. Even a read only permission must be avoided, remember that database user name and password for each site are stored in settings.php. Worse, if you give write permission to others, the hacker WILL alter files to damage your site or upload malicious scripts to your server.The instructions in this guide assumes a non-hosted installation, so modify the ownership as needed. So where you see "greg" in these instructions, replace "greg" with the name of the user who administrates Drupal, often root, but not necessarily.

Linux servers

Permissions for files and directories on a Linux system are adjusted using the chmod command. User-owner and group-owner identity for files and directories are adjusted using the chown command.The code below demonstrates one method for changing the ownership and permissions on files and directories in the Drupal Root directory to conform the ownership and permissions to the recommendations above. We assume in the example below that the user greg is part of the greg group and that user greg is the site owner. We also assume that your are running Drupal on a server that is not in a hosting environment that provides web-site hosting to multiple customers.Make sure you run the following commands from inside Drupal's root directory! If you run these commands from any other directory, you either will not make changes to all of the Drupal installation's files and directories or you will make changes to files and directories other than those in the Drupal installation. Neither alternative is what you want to achieve.[root@localhost]cd /path_to_drupal_installation[root@localhost]chown -R greg:www-data .[root@localhost]find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;[root@localhost]find . -type f -exec chmod u=rw,g=r,o= '{}' \;The second command makes user greg the user-owner and group www-data the group-owner of all files and directories in Drupal's root directory and all subdirectories and files in those subdirectories (the -R switch means recursive). Note that in a multiple-customer hosting environment, the user-owner of the Drupal files and directories should be root.The third command in the example finds all directories and subdirectories in Drupal's root directory and executes the chmodcommand on all of those directories and subdirectories (-type d means filesystem entities that are directories). The command changes the permissions to read, write and access for user greg and read and access for users in the www-data group. Users who are not greg and not in the www-data group cannot read, write, or access the directories or subdirectories in the Drupal root directory. In numeric notation, the permission assigned to these directories and subdirectories is 750.The fourth command finds all files in the Drupal root directory and its subdirectories and changes the permissions to on those files to read and write for the user greg and read only for the www-data group. Other users have no access to these files. The numeric notation for this set of permissions is 640.For the "files" directory in the sites/default directory and any other site directories in a multi-site installation, the permissions are slightly different because the www-data must have write permission to the directory:[root@localhost]cd /path_to_drupal_installation/sites[root@localhost]find . -type d -name files -exec chmod ug=rwx,o= '{}' \;[root@localhost]for d in ./*/filesdo   find $d -type d -exec chmod ug=rwx,o= '{}' \;   find $d -type f -exec chmod ug=rw,o= '{}' \;doneThe second command above finds all subdirectories named filesbelow the sites directory and changes the permissions for the user-owner and the group-owner to read, write, and access. All other users cannot read, write to, or access these files subdirectories.The "for" loop above is written for an sh-style shell (sh, bash,ksh). If you use csh or tcsh, type bash before executing the command. These commands in the loop give read, write, and access permissions to user greg and group www-data to all subdirectories and files within the files but not access to other users. The numeric permissions code is 770.Remember that any newly installed module/theme or whatever add-on must have its permissions changed too. It's better to do this BEFORE installing the module, theme, or add-on in its appropriate Drupal directory.

Windows servers

By default, Apache runs in the built in SYSTEM account. So all you have to do is change the permission in a way that only the SYSTEM account, the administrators group and the user greg have access to the Drupal root directory, subdirectories and files (assuming greg is the site owner).You should exclude all other users and groups from the ACL. For the SYSTEM account give read only access to all Drupal directories, sudirectories and files except for the "files" directories which require write permission. For the user greg give read, modify and write permissions. And for the administrators group give complete access. Go to the Drupal root directory, right click on it, go to properties and then security.Make use of permission inheritance to make things easier for yourself. And remember that any newly installed module/theme or addon must have its permissions changed too. It's better to do this BEFORE installing it in its appropriate Drupal directory. For those who use permission inheritance it's done automatically by Windows.

Special considerations for settings.php

The settings.php file contains the database password and username in plain text and, once created, should be set so that only appropriate users can read it. That usually means removing read permissions for the "other" user.

Summarizing the permissions

drupal_admin: the user on the server that administrates Drupal, not necessarily is the root.site_admin: the owner of the hosted site (a customer)

Ownership

Core modules/themes files and directories: drupal_admin:www-dataHosted sites modules/themes/files files and directories: site_admin:www-data

Permissions

Core modules/themes directories: rwxr-x---Core modules/themes files: rw-r---Hosted sites modules/themes directories: rwxr-x---Hosted sites modules/themes files: rw-r-----Hosted sites "files" directory: rwxrwx---Hosted sites files under "files" directories: rw-rw----Hosted sites subdirectories under "files" directories: rwxrwx---Follow this guide exactly as it is to make your Drupal installation as more secure as possible. This guide was tested and works. If something goes wrong with your installation, review the steps, possibly you missed something. If it really doesn't work post a comment with your doubt, we will fix this guide.

Script based on guidelines given above

If you need to fix permissions repeatedly then the following script will help you, it is based on the guidelines given above and performs some checks before any modification to ensure it is not applied on files/directories outside your drupal installation.#!/bin/bashif [ $(id -u) != 0 ]; then        echo "This script must be run as root."        exit 1fidrupal_path=${1%/}drupal_user=${2}httpd_group="${3:-www-data}"# Help menuprint_help() {cat <<-HELPThis script is used to fix permissions of a drupal installationyou need to provide the following arguments:1) Path to your drupal installation2) Username of the user that you want to give files/directories ownership3) HTTPD group name (defaults to www-data for apache)Usage: (sudo) bash ${0##*/} --drupal_path=PATH --drupal_user=USER --httpd_group=GROUPExample: (sudo) bash ${0##*/} --drupal_path=/usr/local/apache2/htdocs --drupal_user=john --httpd_group=www-dataHELPexit 0}# Parse Command Line Argumentswhile [ $# -gt 0 ]; do        case "$1" in                --drupal_path=*) drupal_path="${1#*=}" ;; --drupal_user=*) drupal_user="${1#*=}" ;; --httpd_group=*) httpd_group="${1#*=}" ;; --help) print_help;; *) echo "Invalid argument, run --help for valid arguments"; exit 1 esac shiftdoneif [ -z "${drupal_path}" ] || [ ! -d "${drupal_path}/sites" ] || [ ! -f "${drupal_path}/modules/system/system.module" ]; then echo "Please provide a valid drupal path" print_help exit 1fiif [ -z "${drupal_user}" ] || [ $(id -un ${drupal_user} 2> /dev/null) != "${drupal_user}" ]; then echo "Please provide a valid user" print_help exit 1ficd $drupal_pathecho -e "Changing ownership of all contents of \"${drupal_path}\" :\n user => \"${drupal_user}\" \t group => \"${httpd_group}\"\n"chown -R ${drupal_user}:${httpd_group} .echo "Changing permissions of all directories inside \"${drupal_path}\" to \"rwxr-x---\"..."find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;echo -e "Changing permissions of all files inside \"${drupal_path}\" to \"rw-r-----\"...\n"find . -type f -exec chmod u=rw,g=r,o= '{}' \;echo "Changing permissions of \"files\" directories in \"${drupal_path}/sites\" to \"rwxrwx---\"..."cd ${drupal_path}/sitesfind . -type d -name files -exec chmod ug=rwx,o= '{}' \;echo "Changing permissions of all files inside all \"files\" directories in \"${drupal_path}/sites\" to \"rw-rw----\"..."echo "Changing permissions of all directories inside all \"files\" directories in \"${drupal_path}/sites\" to \"rwxrwx---\"..."for x in ./*/files; do find ${x} -type d -exec chmod ug=rwx,o= '{}' \; find ${x} -type f -exec chmod ug=rw,o= '{}' \;doneecho "Done settings proper permissions on files and directories"Copy the code above to a file, name it "fix-permissions.sh" and run it as follows:sudo bash fix-permissions.sh --drupal_path=your/drupal/path --drupal_user=your_user_nameNote: The server group name is assumed "www-data", if it differs use the --httpd_group=GROUP argument.Securing file permissions using Linux AC

Comments

re: find . -type d -name

Posted by Mike_Waters on May 7, 2009 at 1:36amre: find . -type d -name files -exec chmod ug+rwx,o-rwx {} \;This only works for a new site (e.g. one that doesn't already have files in the /sites/[site]/files directory).For the hardening of an existing site,`find . -type f -exec chmod u+r-wx,g+rw-x,o-rwx {} \;` sets all of the files inside sites/[site]/files to be read-only, and `find . -type d -name files -exec chmod ug+rwx,o-rwx {} \;` will only affect new files; anything currently existing in the /files folder will still be read-only. A `chmod -R ug+rwx,o-rwx /[path to site]/files/*` should fix this.Thanks for the howto.Login or register to post comments

I think there may be a problem with your recommended fix

Posted by ridgerunner on November 3, 2009 at 4:16pmchmod -R ug+rwx,o-rwx /[path to site]/files/*This command gives execute permissions for both the owner and group to all regular files residing within the /[path to site]/files/* tree? Isn't this a bad thing?Login or register to post comments

No

Posted by Kami Petersen on June 9, 2009 at 7:46pmIt's nuts that web server should own the site. In all normal cases your regular user (that you do your regular ssh, scp or ftp access with) should should own the installation files.Anyway, this regular user should normally own an html area exclusively, from which the web server serves the pages of the host/virtualhost, that is only readable and searchable to others (i.e. the web server). After ensuring that this is the case the user then normally copies or uploads the contents of the distribution into the html area, thus maintaining ownership and sane permissions. The user then grant the web server read, write and search permission to the files directory of the site by changing the group access. Optionally, the user also gives up his own write permissions for the files directory (in order not to tamper recklessly with this area as it should be managed exclusively by the web server).There's really no need for recipes, if the user doesn't grasp this he simply needs to do UNIX permission homework or else he'll never be secure. If that is the case, enter the following into shell or Google: man chown man chgrp man chmodLogin or register to post comments

Thanks for the advice. After

Posted by Mike_Waters on June 23, 2009 at 2:39pmThanks for the advice. After reading your post, I found the following relevant information:http://www.onlamp.com/pub/a/apache/2004/05/28/apacheckbk.html"Apache runs as the user specified in the User directive. Files need to be readable by that user. Directories need to be +x (searchable) by that user. CGI programs need to be runnable (+x) by that user."Login or register to post comments

A question

Posted by lsrzj on July 16, 2009 at 1:43pmUser apache is completely unpriviledged and has no login shell. A question, supposing that the file index.php in drupal's root have these file permissions: -r--r----- 1 apache apache 980 Mai 18 15:25 index.php. Would it be possible to an attacker explore an Apache vunerability to take advantage of the ownership by apache to execute a chmod on it and alter the permission in a way that it becomes writeable and then modify or overwrite it uploading a hacked one?Login or register to post comments

Shell or no shell

Posted by Kami Petersen on August 20, 2009 at 7:47pmShell or no shell, as long as the user the server and the php scripts runs as owns files and directories, it can also alter them. Owning files is a privilege. So if your server, or php, or Drupal has a hole, or most likely, if you accidentally allow someone to plant some php code, you're in trouble.$ ls -l secretfile---------- 1 www-data www-data 0 2009-08-20 21:10 secretfile$ wget http://localhost/malign.php > /dev/null 2>&1$ ls -l secretfile-rwxrwxrwx 1 www-data www-data 0 2009-08-20 21:10 secretfileLogin or register to post comments

Understood

Posted by lsrzj on August 25, 2009 at 1:35pmThank you for your clarification, when you told about this on the comment I became worried because I didn't think of this possibility. Now that you explained how it can be achieved I saw the problem and modified all my permissions in the server to u=rwx,g=rx,o= for directories and u=rw,g=r,o= for files and the ownership is site_owner:apache. This way only site_owner can chmod the files and directories.Login or register to post comments

doesn't work

Posted by kudak on October 25, 2009 at 9:21pmHi, permissions above look pretty tight. However it doesn't work ... at least for me (Ubuntu 8.04 x64 serv), I don't know which files have to be writable, executable etc ... but with these permissions I am getting only "Forbidden - u don't have permissions ....." to whole drupal subdirectory, when I set drupal directories to "chmod 1755" and files "chmod 1644" it's much better (perhaps sticky bit is not necessary), i can work in any case at it's very important for me (newbie in drupal). I would like to have secure site at the same time, therefore I tried permissions here from "wiki", i have experimented with them about 2 hours and ended up with working ones as I mentioned above. I haven't tried to edit .htaccess, perhaps there is also some possiblility to achieve usefull behavior.----edit-----as mike_waters points out directories need to be executable (x) so one has to # find . -type d -exec chmod u=rwx,g=rx,o=x {} \; this fix the problem, I should have read carefully his post. It could save me 3 hours of trying and googling ...Login or register to post comments

Everything is right on this post

Posted by lsrzj on February 23, 2010 at 2:10pmIf you have read those 3 commands on the beginning of this howto carefuly you should have seen that for directories it has an x to permit access.[root@localhost]cd /path_to_drupal_installation[root@localhost]chown -R greg:www-data .[root@localhost]find . -type d -exec chmod u=rwx,g=rx,o= {} \;[root@localhost]find . -type f -exec chmod u=rw,g=r,o= {} \;Login or register to post comments

I needed to modify thos

Posted by almalino on May 29, 2010 at 12:09amI needed to modify thos commands tofind . -type d -exec chmod u=rwx,g=rx,o=rx {} \; - that's 755find . -type f -exec chmod u=rw,g=r,o=r {} \; - that's 644Otherwise my Bluehost hosted Drupal site shows Forbidden when I try to access it.


Drupal projects:http://MalinaMusic.ruhttp://ephototips.comOther prijects:http://malina.mobiLogin or register to post comments

I also had to modify the permissions

Posted by rickoshay on February 11, 2011 at 10:29pmI am using Hostgator and the documented code broke my site. Being a newbie I panicked because I didn't know what files and folders I just changed. Luckily, I found this post and was back up and running.It is important to note that I could not execute the first line:chown -R greg:www-data .I omitted it when after realizing that chown was not permitted and gave me an invalid user error. Perhaps this is part of my problem.Small side note, I experimented with:find . -type d -exec chmod u=rwx,g=rx,o=r {} \;and my site still worked but had no styling. I suppose there is a use for that down the road.Login or register to post comments

Hey, it's wrong giving to

Posted by lsrzj on November 14, 2011 at 3:55pmHey, it's wrong giving to others any kind of permission and the user greg, if you read carefully, was used as an example and you MUST change it for the proper user that administrates Drupal(usually root or your user). Look at this: "To set the permissions all at once you can issue these commands from the Drupal root directory. I'm assuming that greg user is part of greg group and that greg is the site owner." It´s just an assumption just to explain a situation not an obligation. READ CAREFULLY AND REPEAT THE STEPS, YOU SURELY MISSED SOME STEP!This documentation is for site administrators, newbies must know deeply about Linux permissions scheme before using this guide.Login or register to post comments

Big thanks!

Posted by GDLTD on March 19, 2011 at 9:49pmI followed the instruction above and the entire site broke. I was having problems with a theme, thought I should go ahead and verify permissions across the entire site. Running your permissions got my site working again.The only thing worse than no documentation is documentation that doesn't work.Login or register to post comments

Hey, it's wrong giving to

Posted by lsrzj on November 14, 2011 at 3:51pmHey, it's wrong giving to others any kind of permission and the user greg, if you read carefully, was used as an example and you MUST change it for the proper user that administrates Drupal(usually root or your user). Look at this: "To set the permissions all at once you can issue these commands from the Drupal root directory. I'm assuming that greg user is part of greg group and that greg is the site owner." It´s just an assumption just to explain a situation not an obligation. READ CAREFULLY AND REPEAT THE STEPS, YOU SURELY MISSED SOME STEP!This documentation is for site administrators, newbies must know deeply about Linux permissions scheme before using this guide.Login or register to post comments

Yay!

Posted by billyverde on April 15, 2012 at 1:08amAwesome, these two lines are just what I needed to get my site running up at GoDaddy. Sheesh, what a frustrating week it's been. Thanks!Login or register to post comments

ACL Support

Posted by elizabethcb on November 17, 2009 at 5:48pmACLs are an under-used feature of Linux. It's great for web development, as the server can have one set of permissions while the developers have their own. However, I don't think Drupal supports this, because it thinks that the server has write permissions to a directory that it doesn't have write permissions to.Being brand new to Drupal, I could be wrong, but I believe I'm interpreting the example below correctly.Status Report:Configuration file Not protectedThe directory sites/default is not protected from modifications and poses a security risk. You must change the directory's permissions to be non-writable. Directory Permissions:elizabeth:/home/www/faba3.v.cryptomeme.com/webroot/sites$ lltotal 8.0Kdrwxrwx---+ 2 elizabeth staff 4.0K 2009-09-16 12:40 alldrwxrwx---+ 3 elizabeth staff 4.0K 2009-11-17 15:27 defaultelizabeth:/home/www/faba3.v.cryptomeme.com/webroot/sites$ getfacl default/# file: default/# owner: elizabeth# group: staffuser::rwxgroup::rwxgroup:www-data:r-xmask::rwxother::---default:user::rwxdefault:group::rwxdefault:group:www-data:r-xdefault:mask::rwxdefault:other::---elizabeth:/home/www/webroot/sites/default$ lltotal 28K-rw-rw----+ 1 elizabeth elizabeth 9.3K 2009-11-17 15:27 default.settings.phpdrwxrwx---+ 2 elizabeth staff     4.0K 2009-11-17 15:26 files-r--r-----+ 1 elizabeth staff     9.3K 2009-11-17 15:27 settings.phpelizabeth:/home/www/webroot/sites/default$ getfacl files/# file: files/# owner: elizabeth# group: staffuser::rwxgroup::rwxgroup:www-data:r-xmask::rwxother::---default:user::rwxdefault:group::rwxdefault:group:www-data:r-xdefault:mask::rwxdefault:other::---


Login or register to post comments

Securing the files directory permissions properly

Posted by scor on January 28, 2010 at 3:05pmNow for the "files" directories the permissions are slightly different because it must have write permission to the www-data group too [run the following from the Drupal root folder]:find . -type d -name files -exec chmod ug=rwx,o= {} \;This command is not so secure because some contrib modules contain 'files' directories such as feedapi, and in core we now have ./modules/simpletest/filesAlso, it does not cover the case where you have existing files in it the 'files' directory. I can't find a better way other than running the following commands from each sites/SITENAME/files directory:cd /sites/SITENAME/filesfind . -type d -exec chmod ug=rwx,o= {} \;find . -type f -exec chmod ug=rw,o= {} \;I'm happy to update the documentation with this, but maybe someone has a better way of doing this?Login or register to post comments

iterating through sites

Posted by akamaus on February 4, 2011 at 11:20amWhy not to do something like this:for d in sites/*/files; do  find $d -type d -exec chmod ug=rwx,o= {} \;  find $d -type f -exec chmod ug=rw,o= {} \;doneLogin or register to post comments

What you are saying is

Posted by Rajesh Ashok on January 11, 2013 at 12:54pmWhat you are saying is correct. Other modules may contain filesdirectory. Giving apache write permissions to this files directory is a security threat.Your commands are perfect.Login or register to post comments

numeric values

Posted by two_wheeler on February 6, 2010 at 12:17amMany of us work through FTP programs, and not the command line.Could you please post info on the numeric values corresponding to the CHMOD equivalents you listed here?Thanks!Login or register to post comments

Summary of permissions and numeric values

Posted by camhoward on March 8, 2010 at 2:55pmLike two_wheeler, I need to use the numeric values.As I read (and re-read) the instructions in this document under Linux servers, and combine that with the information from Mike_Waters, I think this is what they mean.For all directories and subdirectories in Drupal's root directory:Symbolic notation: rwxr-xr-xOctal numbers: 755Which means:Owner: read, write, executeGroup: read, executeOthers: read, executeFor all files inside Drupal's directories:Symbolic notation: rw-r--r--Octal numbers: 644Which means:Owner: read, writeGroup: readOthers: readFor the "files" directory inside Drupal's "sites" directory:Path: /sites/files or /sites/default/filesSymbolic notation: rwxrwxr-xOctal numbers: 775Which means:Owner: read, write, executeGroup: read, write, executeOthers: read, executeFor all files inside Drupal's "files" directory and inside any subdirectories with the "files" directoryPath: /sites/files/*.html and all other files in files directoryPath: /sites/files/subdirectories/*.html and all other files in subdirectoriesSymbolic notation: rw-rw-r--Octal numbers: 664Which means:Owner: read, writeGroup: read, writeOthers: readIf someone in-the-know could confirm or correct this it would be a big help.Thanks!Login or register to post comments

The handbook has been updated

Posted by lsrzj on March 24, 2010 at 2:25pmThe handbook has been updated and I put a session explaining the chmod non numeric permission representation. If you carefully read the results of each command you'll see that others has no access at all to any file or directory contained in Drupal's installation directory and all the directory tree below it, all the other permissions you wrote are correct. If you write the commands suggested in this handbook, you'll have the best configuration for security. You can simply copy and paste them since you are inside drupal's root directory, if you are not, you'll mess all your filesystem permissions!Login or register to post comments

file write permissions

Posted by apdp300 on March 28, 2010 at 9:48amGreat explanation of this confusing stuff, but please explain - is it necessary for any user (including the web server user) to have write permission on any files in the drupal directory at all?I think the only necessary write permission is on the files directory and subdirectories, but not on files within these directories - is this wrong?Similarly all directories should have execute permission for the web server and no files should have execute permission at all.Then if you want to edit some files the write permission on those files, and the execute permission on the directory they are in, can be givento the owner (and never the web server.)Login or register to post comments

why cannot have this permission

Posted by alb on July 2, 2010 at 8:59amwith folder files/images;If I set rwxrwxr-x and owner root I cannot upload images# Directory "iimages" is not accessible under file system!# Unable to get a working directory for the file browserIf I set rwxrwxrwx and owner root I can upload imagesbut the module alert thatSome files and directories in your install are writable by the serverIf I set rwx------ and owner apache I can upload Image but always same alert's messagewhy cannot use thisrwxrwxr-x owner root ?os centos and imce with fckeditorother:Security Review also alert regard html full, which html tags is preferable to remove from html full?Login or register to post comments

server does not run as root

Posted by bitsman on July 2, 2010 at 9:10pmUsually, server run as user www-data or nobody. So if you have your files owned by root, only if "others" with the relevant permissions will be accessing them. Check owner and groups in the "Configuration examples" at the beginning of this post.Login or register to post comments

files directory permissions for CentOS

Posted by kazar on June 6, 2011 at 1:33amon CentOS (which many cPanel servers use), cd to the public_html directory if necessary, then: chown -R nobody:nobody /sites/default/filesThis will make the apache web server able to upload images including with ckeditor/imceJust figured this out after a day of struggles hope it helps someone.http://ade.ptstrategies ~ systems ~ support

1. [@ ROOT] DRUPAL CORE PLUS OUR ADDED MODULES & THEMESAll Core Drupal Folders and Sub-Folders = 750 (rwx,r-x,---)All Core Drupal Files and Files in subfolders = 640 (rw-,r--,---)Our own modules/themes/libraries use the same lockdown permissions./sites/all/themes = as above/sites/all/modules = as above/sites/all/libraries = as above2. [@ /SITES] DRUPAL SETTINGS/sites/default Folder = 755 (rwx,r-x,r-x). Personally I think this should be = 750 (rwx,r-x,--) if it works./sites/default/settings.php = 444 (r--,r--,r--). Personally, I think this should be = 440 (r--,r--,---) if it works?3. [@ /SITES/.../FILES] WRITEABLE FILES in /sites/all/default/files folders : (like images, file attachments etc)All Folders in /sites/all/default/files and all its subfolders : 770 (rwx,rwx,---)All Files in /sites/all/default/files and it subfolder files : 660 (rw-,rw-,---)these folders/files are the exception so that Drupal can delete the files attached to posts when they are deleted etc.4. REDUCING WRITABLE FILES VULNERABILITYAddtitional recommendation by: herend on February 24, 2011 at 11:57am"...system should be configured so that the webserver does not have permission to edit or write the files which it then executes". So the server will be safer, if a security hole or a weak admin password allows to upload php files.1. files/.htaccess should not be writeable by webserver2. disable php in that folder, add this line to your files/.htaccess:AddHandler default-handler phpI hope this is a correct translation and likely to work! I will investigate and attempt. Any confirmation from lsrzj or others, that this looks sensible, would be appreciated.Login or register to post comments

On my site www-data has no premissions and the site works. Why?

Posted by vivetech on June 20, 2011 at 5:39pmI have a test site setup automatically with user=me group=me. How is www-data not even factored into this and the site works just fine. According to this tutorial. apache needs to have at least read access to the files but the www-data group/user has no permissions. Only my user/owner has permissions.All I did was download drupal and extract it and the site works fine. Working with all the permission setting above gives me all types of problems. Such as the login page not being responsive.Login or register to post comments

On a traditional system...

Posted by dman on June 20, 2011 at 10:08pmThere are at least *three* pseudo-groups that have their own permission set. 'owner', 'group', and 'other'It would be normal for a host that set your user up with a web directory to assume that you wanted stuff you put there to be world-readable, so the 'other' permissions probably include the normal 'read-only' permissions, and www-data can read and serve your files.There are now a number of extended file system properties that allow even more control than that, but in this case, they are probably not an issue..dan. is the New Zealand Drupal Developer working on Government Web Standards


ks for writing this and

Posted by Jason Sale on November 1, 2010 at 12:40pmThanks for writing this and everything, but all that I and 99% of people reading this page really want is a list of numbers next to a list of folders. This just confuses me and makes something really simple into a frustrating and confusing waste of time. Here is the permissions you should set for folders in Drupal 6.x, for those who don't feel like learning apache command line scripting just to set some permissions:/default on 755/default/files including all subfolders and files on 744 (or 755)/default/themes including all subfolders and files on 755/default/modules including all subfolders and files on 755/default/settings.php and /default/default.settings.php on 444Login or register to post comments

Works, tnx

Posted by suffering drupal on July 9, 2011 at 9:44pmBy the way Jason, I followed your indications (thank you!) and it worked :)I started with Drupal in 2007 and then my life got stuck...Login or register to post comments

A Big Thank You!

Posted by protoplasm on November 22, 2010 at 7:44pmI can't begin to tell you how quickly you resolved my can't write to files directory problem after migration with these simple cut and paste instructions:[root@localhost]cd /path_to_drupal_installation/sites[root@localhost]find . -type d -name files -exec chmod ug=rwx,o= '{}' \;[root@localhost]find . -name files -type d -exec find '{}' -type f \; | while read FILE; do chmod ug=rw,o= "$FILE"; done[root@localhost]find . -name files -type d -exec find '{}' -type d \; | while read DIR; do chmod ug=rwx,o= "$DIR"; doneSince our community has thousands and thousands of image files, what a time saver! This information helped me understand how to more tightly reign in permissions on files and saved the day for me.A big thank you.protoplasmLogin or register to post comments

little bit safer

Posted by herend on February 24, 2011 at 11:57amFirst of all: thanks for this doc, it's an important part of drupal's usage.The 1st sentence is the heart of the matter: "system should be configured so that the webserver does not have permission to edit or write the files which it then executes".'files' directory is an exception, that's why it is a security risk.If someone can upload script (php) into that folder, your server is broken.Let's minimize this case:1.files/.htaccess should not be writeable by webserver2.disable php in that folder, add this line to your files/.htaccess:AddHandler default-handler php(Your server will be safer, if a security hole or a weak admin password allows to upload php files.)Login or register to post comments

A great idea, but if you

Posted by colbykd on June 8, 2011 at 5:31amA great idea, but if you grant write permission to the "files" directory itself, that permission could be used to overwrite any .htaccess file within, regardless of the permissions on that file (at least on some OSes). So to really accomplish this, you'll need to put the directives into your main Apache site config. Something like this:<Directory /var/www/pathtositeroot/files>  SetHandler default-handler  Options None  AllowOverride None</Directory>Login or register to post comments

Still Confused

Posted by ThaboGoodDogs on March 22, 2011 at 5:06amI have some of my sites that have user and group set to apache for everything / all files and dirs. Is this bad? Under the impression that user apache is a special user with very limited permissions.Also I run my own server so don't need a user for each site I host so I assume if I need to have the user not be apache I can just create a user eg webdude and use them for all my sites or is this less secure?Drupal SEO VideoLogin or register to post comments

You must create it and you

Posted by lsrzj on November 14, 2011 at 4:00pmYou must create it and you must use this user. If a user is the file and directory onwer all limitations go to the ground. You simply can put an script to change permissions and ownerships as you want, hackers will do it undoubtedlyLogin or register to post comments

Audit what is currently writable

Posted by dman on May 4, 2011 at 12:03amFrom a serverfault threadTo see if your webserver can write to anything that it's not supposed to, if you have sudo, you can run sudo -u www-data find . -type f -writable | grep -v sites/default/files- this will list anything writable by the apache user - it should be empty after your site files dir is excluded.It will just list, not fix it for you (the commands in the OP will do that for you)..dan. is the New Zealand Drupal Developer working on Government Web StandardsLogin or register to post comments

centos find command

Posted by joelbox-Mondial-IT on September 4, 2011 at 9:26pmon centos would that be: sudo -u apache find . -type d -perm /u=w | grep -v sites/default/files ?Joel Box - Mondial-ITLogin or register to post comments

In summary...using FTP for file permissioning

Posted by lal2017 on May 26, 2011 at 1:52pmHi lsrzj, would you please confirm my translation of your documentation and your script per below:I need to use the numeric values to apply permissions via FTP for a site hosted on Bluehost.I reviewed the security script suggested in the document, under the heading: "Script based on guidelines given above". I am yet to test this but I believe it means
























No comments:

Post a Comment