By albannach on
In my admin menu, I get a flag that settings.php is a security risk because it is still writable.
I checked and the only person with permission to write to it is me the owner.
Am I supposed to change it so noone, even me, can write to it?
Doesn't Drupal need the ability to change it, or is it a case of once set up, no one should have permission to write to it again?
Comments
_
Once it's set up there's no reason for anyone to change it, so setting it to read-only is the most secure option.
I have changed them to 644
I have changed them to 644 and other things like 750, but I still get the security warnings all the time?
Is it a bug and should I just ignore it?
_
Read-only for everyone is 444
I set both the site default
I set both the site default folder and settings.php to 444 now, and I still get the warning that it's writable and at risk....
Everyone can still read?
I don't think you want the world to have read access to your settings.php file. You might want to try 451 (read, read+execute, execute). This is what I have mine set to.
OK, I set it to 451 and still
OK, I set it to 451 and still get the same error message that settings.php is not protected!
I don't understand as 451 has no write permissions.
Are the status reports generated instantly, or are they reliant on cron (I mean will it take cron running for the status reports to be updated? OK I tried this: I just tried running cron, and the same error message appears:
Error
Configuration file Not protected
The directory sites/default is not protected from modifications and poses a security risk. You must change the directory's permissions to be non-writable. The file sites/default/settings.php is not protected from modifications and poses a security risk. You must change the file's permissions to be non-writable.
I agree, I don't want the
I agree, I don't want the world to have access to my settings.php file. However, when I try to change the permissions as recommended, my site automatically redirects to the install script. When I change permissions back to 755, the site returns to normal.
What gives?
I am having the same issue on a QNAP 219P
Even using permissions 440 triggers the error. Will have to look in the core libraries to see what Drupal is doing that causes the error on this server. The QNAP is a Linux based NAS with a LAMP server... Weird , first time I am having this problem in years...
Who knows what's up. I've
Who knows what's up. I've practically given up on ever being able to sort out various issues like this with Drupal....
Sorry for dredging up an
Sorry for dredging up an older post, but the problem could lie in the ownership of the file, rather than Drupal. I had problems exactly like yours and spent a while trying various combinations of ownership and permissions. With the owner set to me:me I had to have the permissions as 755 or higher... Once I set the ownership to me:www-data I could set it to 740 (ie: I could read/write/execute it and Apache can read it... no-one else can see it at all).
So,
sudo chown <your-user>:www-data settings.phpfollowed bychmod 740 settings.php(actually, 440 works, but I want to be able to edit the file manually when shelled in to the server without using sudo if I need to)Hope that helps
Steve
protecting sites/default
A lot of good information here, but only for protecting the data on a Linux site. Does anyone have suggestions on how to do it on Windows?
regards,
DJ