Understanding Linux & Drupal File Permission System

Section 1: Understand file permissions in Linux (CLICK HERE if you already know this).

Understanding Linux File Permission System

In this article I am going to discuss Linux file permissions and how they relate to Drupal. In linux ownership of files is defined by "groups" and how a file can be accessed is known as permission "type."

  • Permission groups, which is otherwise referred to as the ownership
  • Permission types, which can be read, write or execute.

Permission groups

For every file and directory in Linux, there are the sets of users for whom we specify permissions. They are:

  • Owners: The user who creates a file, folder, or process is the owner.
  • Groups: Groups refers to anyone who is in the same group as the owner.
  • Others: Any user who is neither the owner of the file/directory and doesn’t belong to the same group is assigned to others group.

Permission Types

There are only three things you can do to a file: Read it, Write to it (modify), or Execute it (run the code on the file). Therefore, in linux each file or directory has three basic permission types:

  • read: The Read permission refers to a user’s capability to read the contents of the file.
  • write: The Write permissions refer to a user’s capability to write or modify a file or directory.
  • execute: The Execute permission affects a user’s capability to execute a file or view the contents of a directory.

Understanding Chmod Command

To changed the above file permissions you'll use the change mode command, written as "chmod".

This command is used to set the permission of a file or folder. The chmod command uses three digits as a parameter to assign permissions to files or folders. chmod changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.

$ sudo chmod XXX docroot

Understanding the example above

  • The XXX in the command are the digits used in manipulating of bits to change permissions.
  • The first X represents the Owner (current user)
  • The second X represents Group (set by owner)
  • The third X represents anyone else or Others

Here we dealing with 3-bits xxx where one of the 3-bits is set to 1 it means you are permitted to do something, when set to 0 you are not. for these bits xxx, they stand for x-Read, x– Write and x-Execute (in their respective order).

There are 2 ways to use the command -

  • Absolute mode
  • Symbolic mode

Absolute(Numeric) Mode

In this mode, file permissions are not represented as characters but a three-digit octal number. The table below gives numbers for all for permissions types.

Symbolic Mode

In the Absolute mode, you change permissions for all 3 owners. In the symbolic mode, you can modify permissions of a specific owner. It makes use of mathematical symbols to modify the file permissions.

  • + Adds a permission to a file or directory
  • - Removes the permission
  • = Sets the permission and overrides the permissions set earlier

Summary:

permission

Section 2: Apply the proper file permissions to your Drupal 8 or Drupal 9 website.

Drupal Directory and Files Permission Best Practices

  • All files permission should be 444
  • All directory permission should be 555
  • Docroot directory permission should be 555
  • sites/default/files directory permission should be 775
  • All directories in sites/default/files should be 775
  • All files in sites/default/files should be 664

To just see octal file permissions on a GNU/Linux:

$ stat -c '%a' /var/wwwhtml/docroot

Another useful command that displays file permissions in both format:

$ stat -c '%A %a %n' /var/wwwhtml/docroot

To recursively give directories read execute privileges:

$ find /var/wwwhtml/docroot -type d -exec chmod 755 {} +

To recursively give files read privileges:

$ find /var/wwwhtml/docroot -type f -exec chmod 644 {} +

If there are many objects to process:

$ chmod 755 $(find /var/wwwhtml/docroot -type d)
$ chmod 644 $(find /var/wwwhtml/docroot -type f)

Did we get something wrong? Or is there something you want added?
Please let us know:Send us your suggestion HERE