Drupal is a free open source framework for Web Content Management.
Due to its free availability, the source codes are re-writable by anyone. Therefore, hackers also gain access to files and manipulate them.
To secure files, we need to set Drupal file permissions.
At 1 onlyhost , we often get requests from our customers to set up Drupal file permissions as part of our Server Management Services.
Today, we’ll see how our Support Engineers modify file permissions in Drupal and fix the related errors.
Benefits of setting file permissions
Firstly, let’s check on the benefits of setting proper file permissions.
In fact, setting the file permissions correctly doesn’t shield from all attacks on your website. But, it will definitely secure your site to some extent.
In addition, its a boon to developers who want their users to hide from the website code.
This is a great advantage to the security measures on websites.
How to set Drupal file permissions
Basically, there are 2 different methods to set file permissions in Drupal.
Let’s see how our Support Engineers execute the steps.
– Using file manager
1. Initially, we log in to the cPanel and access File Manager with proper credentials.
2. Next, we right-click on the Drupal folder and select the File Permissions option.
3. Then, a new window will pop up & we enter the value “640”.(Note: By default, all file permissions have the value 640).
4. After that, we enable the Recurse into subdirectories option & click “Apply to files only”.
5. At last, we click OK button to save the changes.
It takes several minutes to reflect the permissions for a large number of files.
– From command line
We can also change the settings for Drupal website using this command.
chmod -R 640 file.txt
This set up will allow the owner to read-write, the group user to read and others no permission as well.
Troubleshooting file permissions in Drupal 8
From our experience in managing servers, we’ve seen customers facing Drupal issues after changing the file permissions.
Let’s take a closer look at how our Support Engineers fix them.
1. Wrong PHP permissions
Recently, one of our customers approached us after upgrading Drupal and when he checked the status reports of website he found an error like
"The file sites/default/settings.php is not protected from modifications and poses a security risk. You must change the file's permissions to be non-writable."
In Drupal, the database file is stored in the settings.php file under sites/default/files directory.
So, to run the Drupal site efficiently, we need to set correct permission in the settings.php file by running this command:
chmod 644 sites/default/settings.php
That fixed the problem and the user could no longer get this error.
2. SELinux not enabled
Similarly, another customer reported that even after setting file permissions correctly and when he was trying to install the LAMP stack, it showed an error like “The directory sites/default/files is not writable.”
In some platforms like Fedora, CentOS, etc. only when SELinux is enabled, setting the file permissions will get affected. SELinux is a kernel module that supports access control security policies.
So, to make Drupal run under SELinux we run the following commands:
chcon -Rt public_content_rw_t sites/default/files
setsebool -P allow_httpd_anon_write=1
That fixed the problem. Now, the user could install the LAMP stack without any failure.
[Having trouble with Drupal file permissions? We’ll fix it for you.]
Conclusion
In short, to secure files from hackers we need to set proper file permissions. Today, we saw how our Support Engineers set up Drupal file permissions and fix the related errors.