What are the recommended directory permissions?


My practice around creating a new Drupal site on a server is to have a user that is a part of the web server (typically Apache) group, and have that user own all the Drupal files. On Ubuntu, these are the commands to get that set up:

# Create a new example user, setting up /var/www/example as their home dir.
useradd -s /bin/bash -d /var/www/example -m example

# Now add that user to the Apache group. On Ubuntu/Debian this group is usually
# called www-data, on CentOS it's usually apache.
usermod -a -G www-data example

# Set up a password for this user.
passwd example

Once I have that set up, I'll log in as that user and install Drupal at /var/www/example/docroot or similar, and then create the files directory by hand and copy over the settings.php file. Since we log in as our example user before copying in Drupal, our file ownership and permissions should automatically be properly configured on all the core Drupal files and scripts (including .htaccess files).

su - example
cd docroot
cp sites/default/default.settings.php sites/default/settings.php

# Temporarily give the web server write permissions to settings.php
chgrp www-data sites/default/settings.php
chmod g+w sites/default/settings.php

Now let's set up the files directory.

# Create the directory.
mkdir sites/default/files

# Now set the group to the Apache group. -R means recursive, and -v means 
# verbose mode.
chgrp -Rv www-data sites/default/files

Next we'll set up permissions so that the web server can always write to any file that is in this directory. We do this by using 2775 in our chmod command. The 2 means that the group id will be preserved for any new files created in this directory. What that means is that www--data will always be the group on any files, thereby ensuring that web server and the user will both always have write permissions to any new files that are placed in this directory. The first 7 means that the owner (example) can R (Read) W (Write) and X (Execute) any files in here. The second 7 means that group (www-data) can also R W and X any files in this directory. Finally, the 5 means that other users can R and X files, but not write.

 chmod 2775 sites/default/files

If there are any existing files in this directory, be sure the web server has write perms on them.

 chmod g+w -R sites/default/files

Now Drupal is ready to be installed. When finished, it is VERY important to come back to settings.php and ensure that all users only have read permissions.

 chmod 444 sites/default/settings.php

That's it! This set up ensures you avoid any situations where either the user that owns the directory or the web server can't write/change/remove files in the files directory.

That drupal page like so many is very long and confusing. But it contains this post by Jason, who hit the nail on the head:

Posted by Jason Sale on November 1, 2010 at 12:40pm

Thanks for writing this and everything, but all that I and 99% of people reading this page really want is a list of numbers next to a list of folders.

  • /default on 755
  • /default/files including all subfolders and files on 744 (or 755)
  • /default/themes including all subfolders and files on 755
  • /default/modules including all subfolders and files on 755
  • /default/settings.php and /default/default.settings.php on 444

Your web server should be able to read all of the files but not write to them. If your site involves uploading files then give the server permission to write to that one folder only.

More information on how to set that up, as well as some things that can happen if you don't, is available in the Drupal docs.

Tags: Drupal 7 / Users / Security

Similar questions

How do I force a new module to inherit the file permissions the modules directory has, after update?
I'm using Drush 7 on Windows Server 2012 and IIS 8. Whenever I use drush up to update a third-party module, IIS can't access the files because during the update process, when drush is replacing the module files, the entire module folder contains permissions assigned to only the administrator, with inheritance disabled. I need Drush to replace the m...
Prevent directory permissions of sites/default from being protected in a local environment?
Drupal automatically changes the directory permissions of sites/default to 555 (i.e. read-only), which means that if I'm editing sites/default/settings.php, even if I've set the permissions for that file to read/write (which it again reverts on a page load), PhpStorm still gives me a permission denied error on the swap file it's attempting to creat...
How to set up permissions for the private files directory?
I'm trying to set up the private files directory and I'm getting the following error. The backup file could not be saved to 'private://backup_migrate/' because the directory could not be created or cannot be written to. Please make sure your private files directory is writable by the web server. Could someone help correct my misstep? I've scoured s...
Drupal 7: problems with file permissions and IMCE in sites/default/files directory
I have looked around a great deal on the Drupal forum and elsewhere but I cannot yet resolve this. I have had to reinstall a large, fully functional site (Drupal 7.18) onto a new server. This has gone very smoothly. However, I do not seem to be able to set permissions for my sites/default/files directory in a manner that keeps it accessible and saf...
What is your recommended Banner/Slider module for D7?
I am searching for module that create banner/slider effect for D7. Have a check on this page: http://drupal.org/node/418616 Mostly not yet port to D7. What are your recommend modules?
Updating to a newer dev version of a module using Drush (ignoring point/recommended releases, without trashing version control)
[NB This question is off the back of, but separate/further to, an earlier question of mine, here.] I've been using Drush a good while, but every so often I get stumped. At the moment, I'm really not sure how to go about this. Scenario: currently, the site uses a dev release, dated way in the past. In the meantime, no point release has been created,...

Also ask

We use cookies to deliver the best possible experience on our website. By continuing to use this site, accepting or closing this box, you consent to our use of cookies. To learn more, visit our privacy policy.