Securing File Permissions & Ownership

Public

If you need to fix permissions on your Drupal file system then the following script will help you, it is based on the guidelines given on Administration & Security Guide (http://drupal.org/node/244924) and performs some checks before any modification to ensure it is not applied on files/directories outside your drupal installation.
Copy the code below to a file, name it "DrupalFixPermissions.sh" and make it executable. Run the code by:
sudo DrupalFixPermissions.sh --drupal_path=your/drupal/path --drupal_user=your_user_name

Get raw version
bash
  1. #!/bin/bash
  2.  
  3. if [ $(id -u) != 0 ]; then
  4. printf "This script must be run as root.\n"
  5. exit 1
  6. fi
  7.  
  8. drupal_path=${1%/}
  9. drupal_user=${2}
  10. httpd_group="${3:-www-data}"
  11.  
  12. # Help menu
  13. print_help() {
  14. cat <<-HELP
  15.  
  16. This script is used to fix permissions of a Drupal installation
  17. you need to provide the following arguments:
  18.  
  19. 1) Path to your Drupal installation.
  20. 2) Username of the user that you want to give files/directories ownership.
  21. 3) HTTPD group name (defaults to www-data for Apache).
  22.  
  23. Usage: (sudo) bash ${0##*/} --drupal_path=PATH --drupal_user=USER --httpd_group=GROUP
  24.  
  25. Example: (sudo) bash ${0##*/} --drupal_path=/usr/local/apache2/htdocs --drupal_user=john --httpd_group=www-data
  26.  
  27. HELP
  28. exit 0
  29. }
  30.  
  31. # Parse Command Line Arguments
  32. while [ $# -gt 0 ]; do
  33. case "$1" in
  34. --drupal_path=*)
  35. drupal_path="${1#*=}"
  36. ;;
  37. --drupal_user=*)
  38. drupal_user="${1#*=}"
  39. ;;
  40. --httpd_group=*)
  41. httpd_group="${1#*=}"
  42. ;;
  43. --help) print_help;;
  44. *)
  45. printf "Invalid argument, run --help for valid arguments.\n";
  46. exit 1
  47. esac
  48. shift
  49. done
  50.  
  51. if [ -z "${drupal_path}" ] || [ ! -d "${drupal_path}/sites" ] || [ ! -f "${drupal_path}/core/modules/system/system.module" ] && [ ! -f "${drupal_path}/modules/system/system.module" ]; then
  52. printf "Please provide a valid Drupal path.\n"
  53. print_help
  54. exit 1
  55. fi
  56.  
  57. if [ -z "${drupal_user}" ] || [ $(id -un ${drupal_user} 2> /dev/null) != "${drupal_user}" ]; then
  58. printf "Please provide a valid user.\n"
  59. print_help
  60. exit 1
  61. fi
  62.  
  63.  
  64. cd $drupal_path
  65. printf "Changing ownership of all contents of \"${drupal_path}\":\n user => \"${drupal_user}\" \t group => \"${httpd_group}\"\n"
  66. chown -R ${drupal_user}:${httpd_group} .
  67.  
  68. printf "Changing permissions of all directories inside \"${drupal_path}\" to \"rwxr-x---\"...\n"
  69. find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;
  70.  
  71. printf "Changing permissions of all files inside \"${drupal_path}\" to \"rw-r-----\"...\n"
  72. find . -type f -exec chmod u=rw,g=r,o= '{}' \;
  73.  
  74. printf "Changing permissions of \"files\" directories in \"${drupal_path}/sites\" to \"rwxrwx---\"...\n"
  75. cd ${drupal_path}/sites
  76. find . -type d -name files -exec chmod ug=rwx,o= '{}' \;
  77. printf "Changing permissions of all files inside all \"files\" directories in \"${drupal_path}/sites\" to \"rw-rw----\"...\n"
  78. printf "Changing permissions of all directories inside all \"files\" directories in \"${drupal_path}/sites\" to \"rwxrwx---\"...\n"
  79.  
  80. for x in ./*/files; do
  81. find ${x} -type d -exec chmod ug=rwx,o= '{}' \;
  82. find ${x} -type f -exec chmod ug=rw,o= '{}' \;
  83. done
  84.  
  85. echo "Done settings proper permissions on files and directories"