By steff2009 on

Hi, my provider recommended that, after Drupal installation, I change permissions to file install.php to avoid inadvertently running the installation procedure again. However, they did not specify what exactly the permission level should be.

I also read all install documentation coming with Drupal 6.11 and could not find any recommendation. Is chmod 640 fine according to you?

Thank you.

Comments

cog.rusty’s picture

cog.rusty commented

First, there is no known specific danger from keeping install.php (or update.php) accessible.
- If Drupal is installed it will just give a "Drupal already installed" page.
- If Drupal is not installed it will need a valid db user/db password/db name to proceed with an installation.
However it may be a good cosmetic measure to make it inaccessible to browsers.

If you want to use file permissions, what you need to do is to make it unreadable by the web server. What that means, depends.

- I have found that on one hosted server with PHP installed as mod_php, permissions 640 work fine (or 600 if apache is in the file's group, or 000 if apache is the file's owner).

- On another hosted server with PHP as CGI/FastCGI with suexec, that is not enough and only 000 can make the file inaccessible to the web.

Try it, browse, and see.

Or just rename it to install.php-OFF to make it a text file which doesn't run, and you don't really care if anyone browses there and reads the code. It seems sloppy but I prefer it: it is quick and I can see what is going on at a glance.