Why does Drupal harden permissions of the /web/sites/default directory and files?

alhemist

8/17/24, 6:52 PM

I understand that Drupal hardens permissions of the /web/sites/default directory and its files, each time that the system_requirements() function is called, typically after each composer require operation.
The particular hardening is removing the write permission from the user of the Drupal file tree, and to soften that hardening one would have to do chmod u+w web/sites/default.

If I understand correctly, why does Drupal remove the write permission from the user of the Drupal file tree?
What typical problem does it prevent, or solve?

1 + 0

security

Score:4

Drupal

cilefen

8/17/24, 7:37 PM

The settings.php file contains the database password and username in plain text and, once created, must be set so that only appropriate users can read it. That usually means removing read permissions for the "other" user.

— https://www.drupal.org/docs/administering-a-drupal-site/security-in-drupal/securing-file-permissions-and-ownership

It is not particularly clear in this question if you are asking about files or about the sites/default directory. In the case of hardening permissions on the sites/default directory itself, that is to prevent the addition of files.

The original reasoning is in this seventeen-year-old issue.

The general approach here is that, because we do not know the security setup of the webserver, we apply our permission changes to all three digits of the file permission (i.e. user, group and all).

Power users who understand filesystem details may wish disable these protection via a documented configuration in settings.php.

+ 7

alhemist

8/17/24, 11:07 PM

Why should I want to prevent the user account that I myself use to manage my Drupal installation from writing anywhere inside it? By "writing" I mean adding files to `sites/default` or editing an existing file there such as `settings.php`. I mean, if that directory and its files are owned by my user account and are grouped in the group of my user account and others cannot access it, then why should I expect Drupal to harden it so that even I myself couldn't write in it (unless I soften the hardness)?

cilefen

8/17/24, 11:34 PM

I don't think we can answer questions about what you should want or what you should expect, as those are your private thoughts.

alhemist

8/18/24, 1:49 AM

Sure, let my try that again, what is the logic in making Drupal removing the `write` permission from the user account which owns `sites/default` and its files, grouped in a group of the same name and that other user accounts can't access?

cilefen

8/18/24, 1:53 AM

As I quoted in the answer “we do not know the security setup of the webserver”. In some shared hosting, the web server user is the same as the shell account user, for example.

alhemist

8/18/24, 4:28 PM

Alright, let's take that scenario in which the shell user account is the Drupal user account of `sites/default`. Why make that user account remove itself the `write` permission if it can also give it back to itself? Maybe in other scenarios, it can't give it back to itself.

No Sssweat

8/19/24, 7:22 AM

`Why make that user account remove itself the write permission` It's a security child lock. It's better to be safe than hacked, m'kay?

alhemist

8/20/24, 2:38 AM

@NoSssweat if any user account of Drupal can remove this permission but then immediately bring it back, then I don't think it's a lock at all. What am I missing?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why does Drupal harden permissions of the /web/sites/default directory and files?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.