Dreamhost and Security Review – File Permissions

Security Review Error

So, I am getting ready to take a site live and I am working through the Security Review module with a site on a Dreamhost VPS. Currently, I am failing the ‘Web Server file system permissions’ test which gives the following message and a ginormous list of basically every file on my install.

Web server file system permissions

It is dangerous to allow the web server to write to files inside the document root of your server. Doing so could allow Drupal to write files that could then be executed. An attacker might use such a vulnerability to take control of your site. An exception is the Drupal files, private files, and temporary directories which Drupal needs permission to write to in order to provide features like file attachments.

In addition to inspecting existing directories, this test attempts to create and write to your file system. Look in your security_review module directory on the server for files named file_write_test.YYYYMMDDHHMMSS and for a file called IGNOREME.txt which gets a timestamp appended to it if it is writeable.

Read more about file system permissions in the handbooks.

The following files and directories appear to be writeable by your web server. In most cases you can fix this by simply altering the file permissions or ownership. If you have command-line access to your host try running “chmod 644 [file path]” where [file path] is one of the following paths (relative to your webroot). For more information consult the Drupal.org handbooks on file permissions.

My Situation

I contacted Dreamhost support who gave the following info:

  • webserver runs off user: dhapache
  • cannot change group or user

I have tried through SSH to change user and group, but have not been able to, so this tests correct for me and my limited skills.

I also have the Extra Web Security on for the domain, as well.

File Ownership

user: my_user
group: default server group

File Permissions

(general all directories) 755

I started with 750 ( w/ files @ 644) and site would not come up at all. Once I changed it 755 to directories then the site showed up

(general all files) 644

/.htaccess and /.htpasswd 444
Tried 440 for .htaccess which results in a site 403. need the 004

/sites/default (directory) 555

/sites/default/settings.php 440

?will need to add user write to make updates – only if settings.php is updated?

If not at least 440 – then admin/reports/status will fail for Drupal Core, Modules, and Theme updates

/sites/default/files (directories) 775
/sites/files (directories)

/sites/default/files (files) 664

Test

If I changed a file to 444 then the message goes away for that file since the write permission is lost =)

How to make Security Review Happy and to keep my install secure?

So, how do I make Security Review happy

File Permissions Guide

I have also looked at this thread, but cannot find a way to translate it into something that makes sense. My file permissions from above is that attempt as well as pulling from other resources. I like what it is saying, but am not sure what that is. =( What is ‘hosted sites’? What is Core? What is modules/themes?

Core modules/themes directories: rwxr-x—
Core modules/themes files: rw-r—–
Hosted sites modules/themes directories: rwxr-x—
Hosted sites modules/themes files: rw-r—–
Hosted sites “files” directory: rwxrwx—
Hosted sites files under “files” directories: rw-rw—-
Hosted sites subdirectories under “files” directories: rwxrwx—

Understanding the File Permissions Page

Here is me trying to convert the above list into something that makes sense to me. Someone please correct me, since I will definitely be wrong.

(root directory) /modules/ (directories) – rwxr-x– – 750
(root directory) /themes (directories) – rwxr-x— – 750
(root directory) /modules/ (files) – rw-r—– – 640
(root directory) /themes/ (files) – rw-r—– – 640

I am assuming that hosted sites means /sites/all/* ?

(root directory)/sites/all/modules (directories) – rwxr-x— – 751
(root directory)/sites/all/themes (directories) – rwxr-x— – 751
(root directory)/sites/all/modules (files) – rw-r—– – 640
(root directory)/sites/all/themes (files) – rw-r—– – 640

Is the library directory included in this?
If not what should its permissions be?

For the files directory I have one in /sites/default/files. Not sure about elsewhere.

(root directory)/sites/default/(directories) – rwxrwx— – 770
(root directory)/sites/default/(files) – rw-rw—- – 660

This leaves out the the following directories and files which are listed:

/misc
/includes
/profiles
/scripts
(core directory)

What about these? It seems the key point to make the Security Review module happy is to remove the write permissions.

Other Thoughts

If I go 750 for all directories and 640 for all files then the site is not available. I was thinking that the only page that needs actual public access is the index.php and the directories for uploaded files, and then the rest could be 0 for public access.

Please help me out. If I can get this together I will put it all together into a guide for satisfying Security Review on Dreamhost.

Thanks All!

Drupal version: 


Source: https://www.drupal.org/taxonomy/term/22/feed