Chmod values should be configurable, not hard coded. Most apache setups will only require owner or group access for writing and using fixed values breaks setgid setups (where directories get automatically group owned to a group apache can access). Using the drupal default values even though they don't make sense. F.e. the last "4" on CHMOD_FILE_WRITE does not give "others" write permission so why not reset it to 0? diff -pruN drupal.000/sites/default/default.settings.php drupal/sites/default/default.settings.php --- drupal.000/sites/default/default.settings.php 2010-10-12 01:49:48.000000000 +0200 +++ drupal/sites/default/default.settings.php 2011-01-09 00:43:54.000000000 +0100 @@ -444,3 +444,17 @@ ini_set('session.cookie_lifetime', 20000 * Remove the leading hash signs to disable. */ # $conf['allow_authorize_operations'] = FALSE; + +/* Define chmod settings here so the admin can overwrite them */ +/* No file permission should ever allow world access if the web server is set + * up properly. The web server doesn't create files as an "other" user so + * it shouldn't need read permissions for "other". This means the last octal + * should be 0. + * Going with the old defaults for now. + * + * You need to prefix a 0 if you use f.e. setgid (02770 not 2770). + */ +define('CHMOD_FILE_READONLY', 0444); // Should be 0400 or 0440 +define('CHMOD_FILE_WRITE', 0664); // Should be 0600 or 0660 +define('CHMOD_DIR_READONLY', 0555); // Should be 0500, 0550 or 02550 +define('CHMOD_DIR_WRITE', 0775); // Should be 0700, 0770 or 02770 diff -pruN drupal.000/includes/file.inc drupal/includes/file.inc --- drupal.000/includes/file.inc 2010-12-15 04:39:41.000000000 +0100 +++ drupal/includes/file.inc 2011-01-08 23:53:35.000000000 +0100 @@ -505,7 +505,7 @@ function file_create_htaccess($directory // Write the .htaccess file. if (file_put_contents($htaccess_path, $htaccess_lines)) { - drupal_chmod($htaccess_path, 0444); + drupal_chmod($htaccess_path, CHMOD_FILE_READONLY); } else { $variables = array('%directory' => $directory, '!htaccess' => '
' . nl2br(check_plain($htaccess_lines))); @@ -2085,10 +2085,10 @@ function file_get_mimetype($uri, $mappin function drupal_chmod($uri, $mode = NULL) { if (!isset($mode)) { if (is_dir($uri)) { - $mode = variable_get('file_chmod_directory', 0775); + $mode = variable_get('file_chmod_directory', CHMOD_DIR_WRITE); } else { - $mode = variable_get('file_chmod_file', 0664); + $mode = variable_get('file_chmod_file', CHMOD_FILE_WRITE); } } @@ -2237,7 +2237,7 @@ function drupal_dirname($uri) { */ function drupal_mkdir($uri, $mode = NULL, $recursive = FALSE, $context = NULL) { if (!isset($mode)) { - $mode = variable_get('file_chmod_directory', 0775); + $mode = variable_get('file_chmod_directory', CHMOD_DIR_WRITE); } if (!isset($context)) { diff -pruN drupal.000/modules/simpletest/tests/file.test drupal/modules/simpletest/tests/file.test --- drupal.000/modules/simpletest/tests/file.test 2010-11-30 20:31:46.000000000 +0100 +++ drupal/modules/simpletest/tests/file.test 2011-01-09 00:23:26.000000000 +0100 @@ -539,7 +539,7 @@ class FileUnmanagedSaveDataTest extends $this->assertTrue($filepath, t('Unnamed file saved correctly.')); $this->assertEqual('asdf.txt', basename($filepath), t('File was named correctly.')); $this->assertEqual($contents, file_get_contents(drupal_realpath($filepath)), t('Contents of the file are correct.')); - $this->assertFilePermissions($filepath, variable_get('file_chmod_file', 0664)); + $this->assertFilePermissions($filepath, variable_get('file_chmod_file', CHMOD_FILE_WRITE)); } } @@ -899,7 +899,8 @@ class FileDirectoryTest extends FileTest // in the directory on any recent version of Windows. // Make directory read only. - @drupal_chmod($directory, 0444); +// @drupal_chmod($directory, 0444); // Remark: I suppose 0555 was meant... + @drupal_chmod($directory, CHMOD_DIR_READONLY); $this->assertFalse(file_prepare_directory($directory, 0), t('Error reported for a non-writeable directory.'), 'File'); // Test directory permission modification. @@ -907,7 +908,7 @@ class FileDirectoryTest extends FileTest } // Test that the directory has the correct permissions. - $this->assertDirectoryPermissions($directory, variable_get('file_chmod_directory', 0775)); + $this->assertDirectoryPermissions($directory, variable_get('file_chmod_directory', CHMOD_DIR_WRITE)); // Remove .htaccess file to then test that it gets re-created. @drupal_unlink(file_default_scheme() . '://.htaccess'); @@ -1265,7 +1266,7 @@ class FileUnmanagedMoveTest extends File $this->assertEqual($new_filepath, $desired_filepath, t('Returned expected filepath.')); $this->assertTrue(file_exists($new_filepath), t('File exists at the new location.')); $this->assertFalse(file_exists($file->uri), t('No file remains at the old location.')); - $this->assertFilePermissions($new_filepath, variable_get('file_chmod_file', 0664)); + $this->assertFilePermissions($new_filepath, variable_get('file_chmod_file', CHMOD_FILE_WRITE)); // Moving with rename. $desired_filepath = 'public://' . $this->randomName(); @@ -1276,7 +1277,7 @@ class FileUnmanagedMoveTest extends File $this->assertNotEqual($newer_filepath, $desired_filepath, t('Returned expected filepath.')); $this->assertTrue(file_exists($newer_filepath), t('File exists at the new location.')); $this->assertFalse(file_exists($new_filepath), t('No file remains at the old location.')); - $this->assertFilePermissions($newer_filepath, variable_get('file_chmod_file', 0664)); + $this->assertFilePermissions($newer_filepath, variable_get('file_chmod_file', CHMOD_FILE_WRITE)); // TODO: test moving to a directory (rather than full directory/file path) // TODO: test creating and moving normal files (rather than streams) @@ -1338,7 +1339,7 @@ class FileUnmanagedCopyTest extends File $this->assertEqual($new_filepath, $desired_filepath, t('Returned expected filepath.')); $this->assertTrue(file_exists($file->uri), t('Original file remains.')); $this->assertTrue(file_exists($new_filepath), t('New file exists.')); - $this->assertFilePermissions($new_filepath, variable_get('file_chmod_file', 0664)); + $this->assertFilePermissions($new_filepath, variable_get('file_chmod_file', CHMOD_FILE_WRITE)); // Copying with rename. $desired_filepath = 'public://' . $this->randomName(); @@ -1348,7 +1349,7 @@ class FileUnmanagedCopyTest extends File $this->assertNotEqual($newer_filepath, $desired_filepath, t('Returned expected filepath.')); $this->assertTrue(file_exists($file->uri), t('Original file remains.')); $this->assertTrue(file_exists($newer_filepath), t('New file exists.')); - $this->assertFilePermissions($newer_filepath, variable_get('file_chmod_file', 0664)); + $this->assertFilePermissions($newer_filepath, variable_get('file_chmod_file', CHMOD_FILE_WRITE)); // TODO: test copying to a directory (rather than full directory/file path) // TODO: test copying normal files using normal paths (rather than only streams) @@ -1378,7 +1379,7 @@ class FileUnmanagedCopyTest extends File $this->assertNotEqual($new_filepath, $file->uri, t('Copied file has a new name.')); $this->assertTrue(file_exists($file->uri), t('Original file exists after copying onto itself.')); $this->assertTrue(file_exists($new_filepath), t('Copied file exists after copying onto itself.')); - $this->assertFilePermissions($new_filepath, variable_get('file_chmod_file', 0664)); + $this->assertFilePermissions($new_filepath, variable_get('file_chmod_file', CHMOD_FILE_WRITE)); // Copy the file onto itself without renaming fails. $new_filepath = file_unmanaged_copy($file->uri, $file->uri, FILE_EXISTS_ERROR); @@ -1396,7 +1397,7 @@ class FileUnmanagedCopyTest extends File $this->assertNotEqual($new_filepath, $file->uri, t('Copied file has a new name.')); $this->assertTrue(file_exists($file->uri), t('Original file exists after copying onto itself.')); $this->assertTrue(file_exists($new_filepath), t('Copied file exists after copying onto itself.')); - $this->assertFilePermissions($new_filepath, variable_get('file_chmod_file', 0664)); + $this->assertFilePermissions($new_filepath, variable_get('file_chmod_file', CHMOD_FILE_WRITE)); } }