|
| 1 | +# Script to fix permissions in a Drupal installation |
| 2 | + |
| 3 | +This script sets the permissions and ownership of the files of a Drupal |
| 4 | +installation. |
| 5 | + |
| 6 | +This is loosely based on the information provided by Drupal documentation page |
| 7 | +"[Securing file permissions and ownership](https://www.drupal.org/node/244924)". |
| 8 | + |
| 9 | +## Details |
| 10 | + |
| 11 | +For security reasons, the code files of a website should not be writable. At the |
| 12 | +same time, the website should be able to create files (for example, when a user |
| 13 | +uploads an image). This means that there two types of files and folders: content |
| 14 | +and code. |
| 15 | + |
| 16 | +There will be two users involved: a regular UNIX user, we'll call they the |
| 17 | +deploy user, that is in charge of managing the code (typically deploying new |
| 18 | +releases), and the user under which the web server process is running. |
| 19 | + |
| 20 | +This scripts tries to secure the site using the following scheme: |
| 21 | + |
| 22 | + - Code is owned by the deploy user and by the web server's |
| 23 | + group. Deploy user can write, web server group only read. |
| 24 | + |
| 25 | + - Content is owned using the same scheme but the web server can write as well. |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | +## Usage |
| 31 | + |
| 32 | +Check the script help for details in usage: |
| 33 | + |
| 34 | +``` |
| 35 | +drupal_fix_permissions.sh -h |
| 36 | +``` |
| 37 | + |
| 38 | +The script should be run as root because it needs to change ownership and only |
| 39 | +root can do this freely. |
| 40 | + |
| 41 | +Example: |
| 42 | +``` |
| 43 | +drupal_fix_permissions.sh -u=deploy |
| 44 | +``` |
| 45 | + |
| 46 | +This will fix the permissions of a Drupal installation located in the current |
| 47 | +folder and using `deploy` as the deploy user. |
| 48 | + |
| 49 | + |
| 50 | +## Strategy |
| 51 | + |
| 52 | +The scripts checks if the target folder is a Drupal installation and stops if |
| 53 | +it is not detected. |
| 54 | + |
| 55 | +Once checked, it fixes the ownership of all folder and files (because it is the |
| 56 | +same for content and code). Then, it fixes the code and later the content. |
| 57 | + |
| 58 | +The script assumes that `files` and `private` folders under `sites` are content |
| 59 | +folders. |
| 60 | + |
| 61 | +If there are content folders outside the Drupal root folder you can use the |
| 62 | +`--files-path` option and the script will take care of it. |
| 63 | + |
| 64 | +## Performance |
| 65 | + |
| 66 | +The script only changes the files and folder with the wrong permissions or |
| 67 | +ownership, making it very fast when only a few files or folders need a fix. For |
| 68 | +really big installations this is very important as other scripts apply the |
| 69 | +permissions and ownership regardless are needed o not. |
| 70 | + |
| 71 | +## Root permissions |
| 72 | + |
| 73 | +Giving root permissions to regular user is dangerous. Luckily, there's a simple |
| 74 | +script, `autofix-drupal-perms.sh`, to allow regular users fix their sites |
| 75 | +without risking the security. |
| 76 | + |
| 77 | +This script has no parameters, so it can be easily added to the sudoers. When |
| 78 | +run, it calls the main script with predefined parameters: |
| 79 | + |
| 80 | + - deploy user: the owner of the current folder |
| 81 | + - additional content folders: ../private and ../private-files |
| 82 | + |
| 83 | +The script is an example, you can customize it for your hosting needs. |
| 84 | + |
| 85 | +This repository also includes a sudoers file example to allow user to run the |
| 86 | +script using sudo. |
0 commit comments