Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hello
D 7.36
Sorry to come back to an old matter.
I did check my permissions and set them like this :
in root every folder is 755 and every file is 644 (and inside them as well)
sites/default 555
sites/default/files 755
settings.php 400
But when I run the review, my whole website is displayed in the list !
F. i. the first file in the list is ./INSTALL.txt and in Cpanel or Filezilla, it's already set to 644.
What a chmod could do more ? And how could we do this on a whole site ?
What can I do ? Everything looks right ...
Comment | File | Size | Author |
---|---|---|---|
#13 | Capture1.JPG | 48.72 KB | mattys |
Comments
Comment #1
AohRveTPV CreditAttribution: AohRveTPV commentedWhich user is the owner of the files/directories?
A file with permissions 644 will be writable and readable by the owner (6), readable by the group (4), and readable by other users (4). If the owner is the user that your web server runs as, it will be able to write the files, and the Security Review check will fail. So I suspect a problem with your file/directory ownership.
The owner of the files/directories should probably be your user, and that user should be a different user than the web server user.
For example, suppose you are using the Apache web server and it runs as the user "apache". The owner of your Drupal files/directories could then be set to your user "foo":
chown -R foo /path/to/drupal
. Then you would be able to read/write files to maintain them, but the web server can only read them*.* An exception is the web server user needs to be able to write files in the files directory,
sites/default/files
.Comment #2
artatum CreditAttribution: artatum commentedls -l display me, 'laurent', as owner and group.
..
-rw-r--r-- 1 laurent laurent 1550 Mar 29 08:10 robots.txt
..
I'm not very used to linux, and I dont really see the difference between apache user and me : I never had to deal with this...
Anyway, I never changed this 'owner' for this or that value...
How all of my websites in two hosting could be so ... bad ?
Are the hosters guilty ?
Or is Drupal unable to set the whole stuff correctly when installing ?
I can type chown -R foo /path/to/drupa but you added:
An exception is the web server user needs to be able to write files in the files directory, sites/default/files.
that means that this folder would be also set to foo ... So I imagine something needs to be done specifically for the files folder after...
Comment #3
AohRveTPV CreditAttribution: AohRveTPV commentedOn Linux and other Unix-like systems each process runs as a user. You can list all current processes and which user they are running as using:
ps aux
Which user is Apache running as? (I assume from your previous comment that you are using Apache.) You can use this command to check:
ps aux | egrep '(apache|httpd)'
If the value for the USER column is 'laurent', that would confirm the problem. I could then give advice on how to fix it.
Comment #4
artatum CreditAttribution: artatum commentedI tried ps aux : this is what I got.
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
laurent 620335 0.0 0.0 104628 2092 ? S 09:25 0:00 sshd: laurent@pts/0
laurent 620337 0.0 0.0 11476 1668 pts/0 Ss 09:25 0:00 -bash
laurent 747203 24.0 0.0 248124 29448 ? S 11:52 0:34 /usr/bin/php
laurent 748008 12.4 0.0 249216 30532 ? S 11:53 0:09 /usr/bin/php
laurent 748730 0.0 0.0 13376 1012 pts/0 R+ 11:55 0:00 ps aux
the second command :
laurent 750501 0.0 0.0 4160 644 pts/0 S+ 11:59 0:00 egrep (apache|httpd)
Comment #5
AohRveTPV CreditAttribution: AohRveTPV commentedHmm, that output does not seem to indicate which user the web server is running as.
Here is another way:
1. Create file
whoami.php
in your Drupal root directory with the following contents:2. Request
your_site/whoami.php
in a web browser. The username of the web server user will be given in the response.Comment #6
artatum CreditAttribution: artatum commentedI got ... laurent. again...
(BTW, I'm at Godaddys and I tried to use the 'installatron' to create a fresh Drupal install. I installed Security review after and I got the same report...)
Comment #7
AohRveTPV CreditAttribution: AohRveTPV commentedOK, that is probably the problem. The owner of the files/directories needs to be a different user than the user the web server is running as. If the web server user is the owner, the web server can write all files, which is dangerous. So either (1) the web server needs to not run as 'laurent', or (2) you need to create a new user and make it the owner.
Have you seen this page? It explains a lot about permissions/ownership.
https://www.drupal.org/node/244924
With GoDaddy are you using a VPS or shared hosting? What type of service do you have from them?
Comment #8
artatum CreditAttribution: artatum commentedI'm on a shared hosting. Services ? I only now that I've got a Cpanel, and can use git and drush...
this user is the overall user of my hosting and works everywhere.
And It's the same problem at Greengeeks, on a VPS. But there a 'ps aux' gives a lot of different users :(few lines only)
root 1 0.0 0.0 10372 84 ? Ss Apr30 0:06 init [3]
...
root 553 0.0 0.0 5932 208 ? Ss Apr30 1:03 syslogd -m 0
named 599 0.0 0.2 251060 2256 ? Ssl Apr30 0:06 /usr/sbin/named
...
mailnull 756 0.0 0.0 67464 460 ? Ss Apr30 0:00 /usr/sbin/exim
...
dovenull 777 0.0 0.0 43756 700 ? S Apr30 0:00 dovecot/imap-lo
laurent 26122 0.0 0.1 93240 1360 ? S May06 0:00 sshd: laurent@
laurent 26129 0.0 0.1 12168 1360 pts/0 Ss May06 0:00 -bash
nobody 30418 0.0 0.3 68392 3788 ? S 11:21 0:00 /usr/local/apac
sshd 32560 0.0 0.1 66160 1496 ? S 12:44 0:00 sshd: root [net
laurent 32565 0.0 0.0 10744 1016 pts/0 R+ 12:44 0:00 ps aux
and whoami :
Warning: shell_exec() has been disabled for security reasons ...
Comment #9
AohRveTPV CreditAttribution: AohRveTPV commentedFrom the
ps
output it appears Apache is running as user 'nobody' on the VPS. If 'laurent' is the owner of the Drupal files, and the files/directories permissions are set properly, the Security Review check should pass.What is the ownership and permissions for a file that fails the Security Review check (
ls -la
output)?Comment #10
artatum CreditAttribution: artatum commentedls -la index.php :
-rw-r--r-- 1 laurent laurent 529 May 4 12:58 index.php
I tried to create a group or a user (groupadd, useradd) but I'm not allowed to at GoGaddy.(I'm moving from Greengeeks -> GoDaddy)
I imagine I, and a pretty bunch of others, will have to live with it...
Comment #11
AohRveTPV CreditAttribution: AohRveTPV commentedMaybe it is possible to create an FTP user, then upload your Drupal files using that user, so that they are owned by that user instead of the web server user ('laurent')?
https://support.godaddy.com/help/article/1236/adding-ftp-users-to-your-s...
It might just not be possible to solve this problem with a GoDaddy shared hosting account, as you say. (Unfortunately they do not offer a free trial, else I would try.) GoDaddy does offer dedicated servers and VPS accounts, which would allow creating users, if that is an option.
Comment #12
mattys CreditAttribution: mattys commentedI am having the exactly the same problem, although i am on a dedicated server, so may be easier to sort.
so all my files are listed as having bad permissions issues, even thugh they are 0755 directories and 0644 files, like original post, plus the server is able to edit /httpdocs/sites/all/modules/security_review/IGNOREME.txt, even though it is 0644.
looks like an ownership issue again
my hosting company arent able to assist as they say all permissions are fine
i hope you can help.
to top it off, all my drupal installations i are currently being hacked, even though they have been updated to 7.58, etc, constantly having to delete files etc, change permissions.
permissions issues are the only thing being flagged in security review, so would be good to get this sorted
i have just run ps aux | egrep' '(apache|httpd) command and output is:
Last login: Mon Apr 23 12:18:40 2018 from 193.200.80.2
root@server3:~# ps aux | egrep '(apache|httpd)'
root 1742 0.0 0.0 9452 920 pts/2 S+ 16:14 0:00 egrep --color=auto (apache|httpd)
root 8426 0.0 0.1 475096 44496 ? Ss 10:26 0:00 /usr/sbin/apache2 -k start
www-data 8429 0.0 0.0 182576 21068 ? S 10:26 0:05 /usr/sbin/apache2 -k start
www-data 8431 0.0 0.3 483284 90276 ? S 10:26 0:17 /usr/sbin/apache2 -k start
www-data 8434 0.0 0.4 508612 117424 ? S 10:26 0:15 /usr/sbin/apache2 -k start
www-data 8435 0.0 0.4 508316 115700 ? S 10:26 0:17 /usr/sbin/apache2 -k start
www-data 8746 0.0 0.4 491576 98396 ? S 10:29 0:17 /usr/sbin/apache2 -k start
www-data 13383 0.0 0.4 508308 115380 ? S 11:34 0:14 /usr/sbin/apache2 -k start
www-data 18369 0.0 0.3 483772 89860 ? S 12:42 0:09 /usr/sbin/apache2 -k start
www-data 18888 0.0 0.4 495220 102980 ? S 12:49 0:09 /usr/sbin/apache2 -k start
www-data 20222 0.0 0.1 475628 31292 ? S 16:00 0:00 /usr/sbin/apache2 -k start
www-data 29006 0.0 0.2 480988 69096 ? S 14:59 0:03 /usr/sbin/apache2 -k start
www-data 29041 0.0 0.3 498788 88768 ? S 14:59 0:03 /usr/sbin/apache2 -k start
root@server3:~#
can you see which user the web server is running as?
help appreciated
matt
Comment #13
mattys CreditAttribution: mattys commentedattached is an example of a file that is being flagged as having incorrect permissions and you can see what the permissions are
Comment #14
mattys CreditAttribution: mattys commentedJust to clarify, this is for Drupal 7.58, security review 7.x-1.3
Comment #15
smustgrave CreditAttribution: smustgrave at Mobomo commentedClosing as outdated after 6 years as we transition to Drupal 10.
I'm keeping an eye on the 7.x branch of this module, reviews and majors, but
active work is going toward 2.x (supporting D10)
If valid for 2.x please reopen