Am I hardening the permissions in settings.php correctly?

GeorgeCiesinski

7/13/24, 3:07 PM

Last month, I encountered an issue where I could not edit settings.php as it was read-only.

I asked this question and learned how to change the permissions to edit the file, and then harden them again. The result was that vim would warn me a file is read-only until I used chmod a+w settings.php. After this, vim would no longer warn me about this and I could make the changes I need. Finally, I used chmod go-w settings.php to harden the permissions again, and once again, vim gave me a warning that it is read-only.

Today I created two more Drupal sites and have to edit multiple settings.php files. I repeated the same process, but this time I noticed that I no longer got the warning from vim that the file is read-only after hardening the permissions. Furthermore, I could edit the files freely.

I started digging to see why the permissions weren't blocking me from editing the file and discovered that the file permissions are -rw--r--r-- so that I, as the owner, could edit the file. This is different from the default permissions on the settings.php file that instead look like -r--r--r--. I asked about this on the unix stack exchange and was informed that this is the expected outcome of the chmod go-w settings.php command.

My main concern now is if this poses the same security risk for the site as having a writable settings.php file? Should I instead be using chmod a-w settings.php to get -r--r--r-- permissions, or is -rw--r--r-- sufficiently secure for a live Drupal site?

2 + 0

security

Score:0

Drupal

Clive

7/13/24, 3:18 PM

This is covered in the docs:

After the installation script has run, Drupal tries to set the permissions automatically to:

555 (read-execute) [dr-xr-xr-x] for the sites/default folder. and 444 (read-only) [-r--r--r--] for the settings.php

If not, you will need to manually set them:
chmod 555 sites/default 
chmod 444 sites/default/settings.php 
These permissions are correct, and should not be changed, because changing these opens up a security risk.

Emphasis mine, that last paragraph is essentially the answer to your question - Drupal recommends that you remove owner write permissions from the settings.php file.

In reality, if you’re sysadmin, there’s every chance you might know better than this for your setup, and can take a different approach. But if you don’t know better, it would be advisable to stick to the recommendations and remove the owner’s ability to write.

+ 3

GeorgeCiesinski

7/13/24, 3:26 PM

You are correct, but there is also a contradictory statement in the [core/INSTALL.txt](https://git.drupalcode.org/project/drupal/-/blob/11.x/core/INSTALL.txt) linked to my last question: "Next, grant write privileges to the file to everyone (including the web server) with the command:" `chmod a+w sites/default/settings.php` "Be sure to set the permissions back after the installation is finished! Sample command:" `chmod go-w sites/default/settings.php`

Clive

7/13/24, 3:32 PM

Yeah you’re right, in context I’d call that a bug in documentation. *nix permissions can be accomplished in so many different ways though, so I can understand why there would be inconsistencies in open source docs about it. IMO It’s worth taking the time to learn how these permissions work, at least at the owner/group/world and read/write/execute level (leave ACLs etc for another day). It’s a lot simpler than it might seem, andlearning that would let you make your own decisions with more confidence. TLDR, though, you were right to question what you read

Clive

7/13/24, 3:34 PM

Btw, from your description, the reason you got different results for the first site is almost definitely because the owner of settings.php, or the user you ran the chmod commands as, were different than the next sites

Score:0

Drupal

apaderno

7/15/24, 8:14 AM

Should I instead be using chmod a-w settings.php to get -r--r--r-- permissions, or is -rw--r--r-- sufficiently secure for a live Drupal site?

As long as the process used to run PHP or the web server is not able to write the settings.php file all is fine.
When the system account that owns the file is different from the system account used to run PHP or the web server, the -rw--r--r-- permissions do not give write access to that file to neither PHP nor the web server, since those permissions mean:

Read and write access for the owner
Read access for the system accounts on the same group as the owner
Read access to all the other system accounts

When the settings.php file is owned from the same system account used to run PHP or the web server, then the -r---r--r-- permissions are necessary.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Am I hardening the permissions in settings.php correctly?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.