This is a general support thread for people who are getting this warning:

Security notice: Backup and Migrate will not save backup files to the server because the destination directory is publicly accessible. If you want to save files to the server, please secure the 'sites/default/files/private/backup_migrate/manual' directory

Before you post in this queue please make sure that you have checked that this directory is properly secured from the public. That means that you have instructed your web server not to serve files from this directory.

For apache users, Backup and Migrate will attempt to restrict access to this directory using a .htaccess file. For most people this will ensure that nobody can download your saved backups. Not all servers will obey the .htaccess file so you will have to talk to your sysadmin about other ways to secure this directory. The easiest way to secure the directory is to move it out of your web root.

For other servers, there are some instructions in the module README.txt to help you set up a secure folder. Talk to your sysadmin if they don't work or you need more help.

If you are completely sure that the backup directory has been properly protected, but you are still getting this warning, please comment on this issue. You must independently verify that this directory is secure by adding a file to that folder and then attempting to load the file in your web browser. IE: Place a file called test.txt in sites/default/private/backup_migrate/manual (or wherever your private directory is) and the attempt to load it at http://example.com/sites/default/private/backup_migrate/manual/test.txt (or whatever the correct url would be) and confirm that you cannot read the file.

If your private directory is OUTSIDE your web root and you are getting this error, then you have found a bug. Please post below with the details of your setup.

Be sure to include in your comment: your web server software (apache etc.), where your private directory is and whether you are using any symlinks or other other fancy setup that might be confusing the module.

PLEASE NOTE: This ticket refers to public access of backup files via the web server. It has nothing to do with file permissions. Your backup directory must be readable and writeable by the web server. Do not post in this issue with file permission issues.

Comments

mastap’s picture

mastap commented

Mmm. using Backup and Migrate 7.x-2.8

  1. I have set private directory to /home/account/account-privatefiles
  2. Web root is located at /home/account/public_html
  3. So the private files are located OUTSIDE of the Webroot

Then I configure a backup destination which points to /home/account/account-privatefiles

I am getting this error when running a backup: (weirldy it is doubles as well as you see)

  • Warning: file_put_contents(privatefiles/.htaccess) [function.file-put-contents]: failed to open stream: No such file or directory in file_create_htaccess() (line 494 of /home/account/public_html/includes/file.inc).
  • Warning: fopen(privatefiles/test.txt) [function.fopen]: failed to open stream: No such file or directory in backup_migrate_destination_files->check_web_dir() (line 210 of /home/account/public_html/sites/all/modules/backup_migrate/includes/destinations.file.inc).
  • Security notice: Backup and Migrate was unable to write a test text file to the destination directory privatefiles, and is therefore unable to check the security of the backup destination. Backups to the server will be disabled until the destination becomes writable and secure.
  • Warning: file_put_contents(privatefiles/.htaccess) [function.file-put-contents]: failed to open stream: No such file or directory in file_create_htaccess() (line 494 of /home/account/public_html/includes/file.inc).
  • Warning: fopen(privatefiles/test.txt) [function.fopen]: failed to open stream: No such file or directory in backup_migrate_destination_files->check_web_dir() (line 210 of /home/account/public_html/sites/all/modules/backup_migrate/includes/destinations.file.inc).
  • Security notice: Backup and Migrate was unable to write a test text file to the destination directory privatefiles, and is therefore unable to check the security of the backup destination. Backups to the server will be disabled until the destination becomes writable and secure.
  • Could not run backup because the file could not be saved to the destination.

Any clue? thanks!

pkiff’s picture

pkiff commented

MastaP,

Your error is not the same as the one specified for this thread. You are getting an error related to the directory not being found ("No such file or directory"), not an error related to the directory being publicly accessible ("destination directory is publicly accessible").

Having said that, it looks like your folders are not correctly saved in your file system settings. You say:
"I have set private directory to /home/account/account-privatefiles"
but the error shows it is looking for:
"privatefiles/.htaccess"

This suggests you have the directory set as:
"/home/account/privatefiles" or perhaps just "privatefiles"
not
"/home/account/account-privatefiles"

Does /home/account/privatefiles exist on your server? Normally, Backup and Migrate won't let you save your setting if the folder doesn't exist, and the use of privatefiles may indicate your setting is not even being saved when you think it is. The setting may also be being overridden by a fixed variable setting in your settings.php file.

You might also try using a relative directory like this (which is probably relative to your "public_html" folder, depending on your server config):
../privatefiles/
or
../account-privatefiles/

ronan’s picture

ronan commented
Status: Active » Postponed (maintainer needs more info)

Please check the latest dev. I've made some fixes that might be relevant.

ronan’s picture

ronan commented
Status: Postponed (maintainer needs more info) » Active
TGEink’s picture

TGEink commented

NEVERMIND:: IT FIXED ITSELF THE SAME WAY IT BROKE. NO IDEA WHAT HAPPENED BUT OK.

This just started happening to us. We have not changed the settings and yet we get the message:
The site backup has failed with the following messages:
The NodeSquirrel server returned the following error:
Could not run backup because the file could not be saved to the destination.

When we try to load the test.txt file we get:
Forbidden
You don't have permission to access /sites/default/files/private/backup_migrate/manual/test.txt on this server.
Apache/2.2.22 Server at thegreeneconomy.com Port 80

Our sites directory is at [address for our server at MediaTemple]/domains/thegreeneconomy.com/html/sites....

Not sure what happened.

arzuga’s picture

arzuga commented

Hallo,
I just moved my site from one server to another. Debian 7 to 8.
New server is a Bitnami VM
Everything work except for Backup_migrate. No scheduled, no manual backup to the private foder due to the :

Security notice: Backup and Migrate will not save backup files to the server because the destination directory is publicly accessible. If you want to save files to the server, please secure the 'sites/default/files/private/backup_migrate/manual' directory

The folder has inside old backups made on the old server, I can download it from drupal if I'm logged in but not from http://example.com/sites/default/private/backup_migrate/manual/filename.... from outside.

Apache is the webserver softwaren and here the path:
http://example.com/sites/default/private/backup_migrate/manual/

couturier’s picture

couturier commented
Status: Active » Closed (outdated)

@arguza The 2.x branch hasn't had any code updates in 4 years. Would it be possible for you to switch to the new 7.x-3.2 version that came out yesterday, September 27, 2017, and see if this resolves your problem? If not, please re-open the issue under an updated version and if using dev, please specify which dev release you have used.

couturier’s picture

couturier commented

Also note that @DamienMcKenna has proposed that the 7.x-2.x branch be deprecated once the upgrade path to 7.x-3.x is verified. See this issue: Verify 7.x-2.x -to- 7.x-3.x upgrade path, mark 7.x-2.x as unsupported

In order to reduce the maintenance burden the 7.x-2.x branch should be deprecated. In order to do this the upgrade path to 7.x-3.x has to be verified and any issues fixed.