Drupal - What are the recommended directory permissions?
That drupal page like so many is very long and confusing. But it contains this post by Jason, who hit the nail on the head:
Posted by Jason Sale on November 1, 2010 at 12:40pm
Thanks for writing this and everything, but all that I and 99% of people reading this page really want is a list of numbers next to a list of folders.
/defaulton 755/default/filesincluding all subfolders and files on 744 (or 755)/default/themesincluding all subfolders and files on 755/default/modulesincluding all subfolders and files on 755/default/settings.phpand/default/default.settings.phpon 444
My practice around creating a new Drupal site on a server is to have a user that is a part of the web server (typically Apache) group, and have that user own all the Drupal files. On Ubuntu, these are the commands to get that set up:
# Create a new example user, setting up /var/www/example as their home dir.
useradd -s /bin/bash -d /var/www/example -m example
# Now add that user to the Apache group. On Ubuntu/Debian this group is usually
# called www-data, on CentOS it's usually apache.
usermod -a -G www-data example
# Set up a password for this user.
passwd example
Once I have that set up, I'll log in as that user and install Drupal at /var/www/example/docroot or similar, and then create the files directory by hand and copy over the settings.php file. Since we log in as our example user before copying in Drupal, our file ownership and permissions should automatically be properly configured on all the core Drupal files and scripts (including .htaccess files).
su - example
cd docroot
cp sites/default/default.settings.php sites/default/settings.php
# Temporarily give the web server write permissions to settings.php
chgrp www-data sites/default/settings.php
chmod g+w sites/default/settings.php
Now let's set up the files directory.
# Create the directory.
mkdir sites/default/files
# Now set the group to the Apache group. -R means recursive, and -v means
# verbose mode.
chgrp -Rv www-data sites/default/files
Next we'll set up permissions so that the web server can always write to any file that is in this directory. We do this by using 2775 in our chmod command. The 2 means that the group id will be preserved for any new files created in this directory. What that means is that www--data will always be the group on any files, thereby ensuring that web server and the user will both always have write permissions to any new files that are placed in this directory. The first 7 means that the owner (example) can R (Read) W (Write) and X (Execute) any files in here. The second 7 means that group (www-data) can also R W and X any files in this directory. Finally, the 5 means that other users can R and X files, but not write.
chmod 2775 sites/default/files
If there are any existing files in this directory, be sure the web server has write perms on them.
chmod g+w -R sites/default/files
Now Drupal is ready to be installed. When finished, it is VERY important to come back to settings.php and ensure that all users only have read permissions.
chmod 444 sites/default/settings.php
That's it! This set up ensures you avoid any situations where either the user that owns the directory or the web server can't write/change/remove files in the files directory.
Your web server should be able to read all of the files but not write to them. If your site involves uploading files then give the server permission to write to that one folder only.
More information on how to set that up, as well as some things that can happen if you don't, is available in the Drupal docs.