Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.After installing d7 with the normal install command I found that it changes the private files to /sites/default/files_private. It's also writable by the server which is a security risk.
Comments
Comment #1
mike stewart CreditAttribution: mike stewart commented@AlanO thanks for your report.
Although creating a site as you describe is the result of an old (default) make-file, there is nothing incorrect about this setup, especially for development. However, you're correct in recognizing that it doesn't match the current documented method -- and perhaps default install profile?? (not sure) -- but there is nothing wrong with it.
In addition, the server will always need read/write access to the files folder (assuming Drupal is used to allow end users to upload files). That in itself is not a security risk. The key to private files is they should be inaccessible using a URL (aka a link served by the webserver). Private files relegate Drupal to handling security of the file (instead of the webserver). A folder used for private files should therefore be either outside the path of the virtual host root, &/or specifically locked down (such as inaccessible from browsing due to .htaccess rules, on apache).