I'm having a craptastic time trying to figure out how I should configure my Drupal folders and files. I've search all over drupal.org but keep coming up with dribble about the www-data needing access to the "sites" and the "files" folder and how "settings.php" needs some awesome permissions.

But what I need is a list like this:

/ = 744 or drwxr-r--
/includes/ = ...
/misc/ = ...
/modules/ = ...
/profiles/ = ...
/scripts/ = ...
/sites/ = ...
/sites/all/ = ...
/sites/default/ = ...
/sites/default/settings.php = 444?
/sites/default/files/ = ...

I don't think I need someone to catalog every single file, folder, and permission settings for me. I'm guessing that I can just set the root folder permissions to "apply to enclosed items" and then fix the few folders and files that need special settings.

I would really appreciate any contributions that can lead me back to sanity! :)

Scott

default install on my local machine has

-rw-r--r-- all php files

drwxr-xr-x directories

drwxrwxr-x files folder

-r--r--r-- settings.php file

I am quite late for the reply,but I ran into this problem and found a way out. From Drupal's official handbook:

Copy this into a file and name it as "fix-permissions.sh"

#!/bin/bash
if [ $(id -u) != 0 ]; then
        printf "This script must be run as root.\n"
        exit 1
fi
drupal_path=${1%/}
drupal_user=${2}
httpd_group="${3:-www-data}"
# Help menu
print_help() {
cat <<-HELP
This script is used to fix permissions of a Drupal installation
you need to provide the following arguments:
1) Path to your Drupal installation.
2) Username of the user that you want to give files/directories ownership.
3) HTTPD group name (defaults to www-data for Apache).
Usage: (sudo) bash ${0##*/} --drupal_path=PATH --drupal_user=USER --httpd_group=GROUP
Example: (sudo) bash ${0##*/} --drupal_path=/usr/local/apache2/htdocs --drupal_user=john --httpd_group=www-data
HELP
exit 0
}
# Parse Command Line Arguments
while [ $# -gt 0 ]; do
        case "$1" in
                --drupal_path=*)
drupal_path="${1#*=}"
;;
--drupal_user=*)
drupal_user="${1#*=}"
;;
--httpd_group=*)
httpd_group="${1#*=}"
;;
--help) print_help;;
*)
printf "Invalid argument, run --help for valid arguments.\n";
exit 1
esac
shift
done
if [ -z "${drupal_path}" ] || [ ! -d "${drupal_path}/sites" ] || [ ! -f "${drupal_path}/core/modules/system/system.module" ] && [ ! -f "${drupal_path}/modules/system/system.module" ]; then
printf "Please provide a valid Drupal path.\n"
print_help
exit 1
fi
if [ -z "${drupal_user}" ] || [ $(id -un ${drupal_user} 2> /dev/null) != "${drupal_user}" ]; then
printf "Please provide a valid user.\n"
print_help
exit 1
fi
cd $drupal_path
printf "Changing ownership of all contents of "${drupal_path}":\n user => "${drupal_user}" \t group => "${httpd_group}"\n"
chown -R ${drupal_user}:${httpd_group} .
printf "Changing permissions of all directories inside "${drupal_path}" to "rwxr-x---"...\n"
find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;
printf "Changing permissions of all files inside "${drupal_path}" to "rw-r-----"...\n"
find . -type f -exec chmod u=rw,g=r,o= '{}' \;
printf "Changing permissions of "files" directories in "${drupal_path}/sites" to "rwxrwx---"...\n"
cd sites
find . -type d -name files -exec chmod ug=rwx,o= '{}' \;
printf "Changing permissions of all files inside all "files" directories in "${drupal_path}/sites" to "rw-rw----"...\n"
printf "Changing permissions of all directories inside all "files" directories in "${drupal_path}/sites" to "rwxrwx---"...\n"
for x in ./*/files; do
find ${x} -type d -exec chmod ug=rwx,o= '{}' \;
find ${x} -type f -exec chmod ug=rw,o= '{}' \;
done
echo "Done settings proper permissions on files and directories"

Now run this script as:

 sudo bash fix-permissions.sh --drupal_path=your/drupal/path --drupal_user=your_user_name

Viola! Your permissions are automatically fixed.

A) It is not advisable to give any form of access to the world, even if it is just read access.

B) To give the owner of the file just a read access leads to complicated maintenance process (eg: most recommended, that Settings.php should be readonly to all), this will only increase your tasks whenever you want to modify the settings.

In nutshell: - World need 0 access - not even to public folder. - Your web server needs read only access for all files, except the public folder and tmp folder - these will be both read and write. - Your file owner needs full access to all files - to keep maintenance simple

This however, will work best when file owner and webserver owner are 2 separate users, and you have ssh control over server and are able to modify the file ownership.

The below script will work when you have following directory structure:

Site Folder

Site Folder/conf (containing apache virtual host configuration files for this site)

Site Folder/htdocs (containing the site)

In this scenario: kalpesh is the file owner and daemon is the webservice owner - it may be www-data for your site.

I normally save such script in a .sh file and then add it to cron, so that whenever my team members upload new content on the site or update a module, the sites permission doesn't get compromised by their mistakes. Cron will execute the scripts and repair permissions every 24 hours.

cd ToSiteFolder

sudo chown kalpesh:daemon .

sudo chmod 750 .

sudo chown -R kalpesh_popat:daemon ./conf

sudo find ./conf -type d -exec chmod 750 {} +
sudo find ./conf -type f -exec chmod 640 {} +

sudo chown -R kalpesh_popat:daemon ./htdocs

sudo find ./htdocs -type d -exec chmod 750 {} +
sudo find ./htdocs -type f -exec chmod 640 {} +

sudo find ./htdocs/sites/default/files -type d -exec chmod 770 {} +
sudo find ./htdocs/sites/default/files -type f -exec chmod 660 {} +

sudo find ./htdocs/tmp -type d -exec chmod 770 {} +

sudo chmod 640 ./htdocs/sites/default/settings.php

sudo chmod 750 ./htdocs/sites/default

There is a blog that explains this beautifully and breaks many myths. https://technologymythbuster.blogspot.com/2018/06/misconception-about-file-ownerships-and.html