Drupal: what permission to assign to "files" folder

Question

On the Drupal website is suggested to use 755 as permissions for the "Files" folder.

However I sometimes had issues when uploading the website to a server with it, because the owner of the files was the ftp client and not drupal itself.

Consequently, I've asked to some people and I've been told that assigning 777 to "only" the files folder is reasonably safe.

Could you confirm this ?

Thanks

Answer 1

If you upload via FTP only occasionally, I would just change ownership of the files aftwerwards to the apache user. Anything uploaded via Drupal automatically has the the right permissions.

Whether 777 is reasonably safe depends on your hosting situation, I don't want to speculate here. I would tend to err on the safe side and keep 755 (and change ownership of the files).

Answer 2

777 is probably the worst choice: that gives read/write/execute permissions to anyone who has or gains access to your server.

I use the following scheme:

• Owner: non-privileged user or the webserver user
• Group: a group to which only the webserver and authorized web developers belong (e.g. www-data or _www)
• Folders: 2770 (owner and group have read/write/list access, everyone else has no access, setgit bit set to preserve group ownership of files created in directories)
• Files: 660 (owner and group have read/write access, everyone else has no access)

This can be propagated with the following commands in Linux:

chown -R mark:www-data files/
find ./files -type d -exec chmod 2770 {} \;
find ./files -type f -exec chmod 660 {} \;