A faulty file permissions can be fatal to your side. Therefore understanding the concept it is important.

Linux is a multi-user operating system. Each file (including directories) has an owner. Below the user spokane belongs to the group wheel:

$ ll
total 296
-rw-r--r--.  1 spokane wheel    312 Nov 26 17:50 autoload.php
-rw-r--r--.  1 spokane wheel   3154 Nov 26 17:50 composer.json
-rw-r--r--.  1 spokane wheel 225802 Nov 26 17:50 composer.lock
drwxr-xr-x. 12 spokane wheel   4096 Jul 21 16:03 core
-rw-r--r--.  1 spokane wheel   1507 Jul 21 16:03 example.gitignore
-rw-r--r--.  1 spokane wheel    549 Jul 21 16:03 index.php
-rw-r--r--.  1 spokane wheel     95 Jul 21 16:03 INSTALL.txt
drwxrwxr-x.  3 spokane wheel     26 Oct 28 06:33 libraries
-rw-r--r--.  1 spokane wheel  18092 Nov 16  2016 LICENSE.txt
drwxr-xr-x.  3 spokane wheel     39 Nov 26 17:50 modules
drwxr-xr-x.  3 spokane wheel     67 Aug  9 11:34 profiles
-rw-r--r--.  1 spokane wheel   5924 Jul 21 16:03 README.txt
-rw-r--r--.  1 spokane wheel   1594 Jul 21 16:03 robots.txt
drwxr-xr-x.  3 spokane wheel    130 Oct 27 19:13 sites
drwxr-xr-x.  2 spokane wheel     24 Jul 21 16:03 themes
-rw-r--r--.  1 spokane wheel    848 Jul 21 16:03 update.php
drwxr-xr-x. 33 spokane wheel   4096 Nov 26 17:50 vendor
-rw-r--r--.  1 spokane wheel   4566 Jul 21 16:03 web.config

The question arises is how much freedom to read (r), write (w) or execute (x) other users have on his files.

Let’s examin this permission matrix:

rwxrwxrwx

It can be divided in three parts each being a set of three, each belonging to a category: rwx (user who is the owner), rwx (his group) and the last group rwx (all others).

The expressions above means: everyone has access everywhere.

The expression below worth analyzing:

rwxrw-r--

It means: the owner can do anything, his group can do anything except to x execute, others only to read.

Let’s assess the security of your site’s filesystem.

File Ownership

On many linux Debian-Ubuntu systems the Apache process runs as a user called “apache” that is in a group called “www-data”. On RHEL the user is “apache” and group is “apache”. I’ll demonstrate for the last one.

How can I find which one is my Apache username and group. Note: In Centos default group in Apache is user: apache and group apache. Please note on Debian the folder might be apache2 instead httpd. The web server process can access any file that group apache can access. It has no other importance.

egrep -i '^user|^group' /etc/httpd/conf/httpd.conf
User apache
Group apache

Now thinking of your own site let’s examine a few situations:

(insecure)

-rw-rw-rw-  1 apache  apache   873 2007-11-13 15:35 index.php

This configuration allows the apache user to edit the index.php file.

(secure)

-rw-r-----  1 spokane   apache     873 2020-13 15:35 index.php

Another example this time on the module folder. The flag d stands for directory.

(insecure)

drwxrwx--- 32 spokane apache  4096 2021-05-16 11:48 modules/

All the apache group can write the modules folder.

(secure)

 drwxr-x--- 32 spokane   apache    4096 2021-01-18 11:48 modules/

Much better.

(insecure)

drwxrwx---  7 apache  apache  4096 2021-01-18 11:02 files/

This configuration is dangerous for the reasons outlined before. Anyone belonging the apache group can execute files.

(secure)

drwxrwx---  7 apache    spokane  4096 2021-01-18 11:02 files/

Here spokane is the group of the owner. In Linux any user when is created is being added automatically to the group with a name identically with the user.

Now, you can change ownership as follows:

sudo chown -R apache:apache /var/www/html/my-site

Add your user spokane to apache group: sudo usermod -a -G apache spokane. Or, Remove a user spokane from a group: sudo gpasswd -d spokane apache.

As a quick test to confirm whether your site is secure or not you can run the Security Review module.

File Permission

There is an alternative notation to the rwx notation. The binary system.

r = 4
w = 2
x = 1

Where r = 2^2, w=2^1, x=2^0. So rx is 5, full permissions as rwx is 7, rw is 6 and full permission is 444

You can set the permissions on files or directories with chmod

chmod -R 755 /var/www/html/my-site/sites/default/files

For a Drupal site here is a recommended set of permissions.

Themes and modules.

/default/themes      755
/default/modules     755

Files

/default/files       755

/default/setting.php 444

It is not writable because its permission is 444 which means it can not be written. If you need to make changes simply change the permissions to 700.

Private file system. For the private file system: 755 Writable files and configuration directories? 666

To be continued.