Private files "Not fully protected" error in status report is wrong in cases when the specified directory does not exist

Try this, go to your Drupal 8, configuration page:

admin/config/media/file-system

Change the field 'Temporary directory' from...

/tmp

...to...

~/tmp

Click the page-bottom button "Save configuration".

not sure changing the ~tmp folder will matter I didn't try that. but I did find that visiting the file system page and saving it, generated the .htaccess file I needed in the private file system folder above the root. As an aside, I believe the Drupal generated .htaccess file in the /tmp/ folder can be copied and utilized in the private file system folder. I should have compared the files before replacing but at this point, replacement hasn't changed functionality.

I think the confusion that may be at play here is that the private file system path is set in settings.php. Pre-D8 the path was set on the file system page forcing a save of the page. This assumes that the actual generation of the .htaccess was due to saving the page and not some other unknown at moment.

my reading of this - the OP talked about 'Private files' ... then the discussion segued to the TMP directory - a different problem actually.

In d 8.8.5 I have the same error for my Private Files - and indeed it links to useless information about the d7. Sure, some of that information is related but the solution specific for d8 is not documented or given. I've just tried deleting the .htaccess and got the error, editing the .htaccess to have the textual content documented on the d7 page, and still got the error.
I'm about to explore if my reference to the location is somehow bad or broken but it's quite frustrating.

Drupal 8.8.x seems to have deprecated some old code for writing the .htaccess file. Saving the file system configuration no longer seems to write the .htaccess file in the private files folder. At least it didn't for me.

Searching the code a bit, I found core/lib/Drupal/Component/FileSecurity/FileSecurity.php containing code to assemble a .htaccess file with an option for the private folders version. The file it assembles for the private files folder is:

# Deny all requests from Apache 2.4+.
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>

# Deny all requests from Apache 2.0-2.2.
<IfModule !mod_authz_core.c>
  Deny from all
</IfModule>


# Turn off all options we don't need.
Options -Indexes -ExecCGI -Includes -MultiViews

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>
<IfModule mod_php7.c>
  php_flag engine off
</IfModule>

Clear caches after you put that in place. Got rid of the error message for me.

This is an old issue that has been renamed to flag only the lack of useful information when the private folder doesn't exist. #10 and this are about lack of clarity for what D8 wants and, in my case, whether or not the .htaccess file should be generated when the file system configuration is saved (like used to happen). A .htaccess file was generated inside a config/sync folder I created so they are sometimes created.

Someone who understands the design intent better than I do may want to create a new issue. The solution seems to be a) clean up the documentation, b) properly generate the .htaccess file for the private files folder, or both.

I just ran into this for the private files folder path when setting up a new install. For whatever it's worth, glbr's instructions and code appears to have fixed it for me after a clearing of the cache. My status page indicates that all is well now.

With a new install in Drupal 8.8 glbr's code worked well for me, too.

For Drupal 8.9, first, create the private folder (mine is at the same level as the web folder) and ensure the folder permissions are set to 0777. Next, configure the $settings['file_private_path'] in your settings.php. Mine is configured to $settings['file_private_path'] = $app_root . '/../private';. Finally, clear drupal caches...drupal will generate the appropriate .htaccess file in the folder you specified in $settings['file_private_path']

For Drupal 8.9 #11 also worked for me. I ve set $settings['file_private_path'] = '../private' and used #15 permissions

Drupal 8.9.x is in security support only.

for Drupal 9 #15 works fine ! thanks

So by the sound of it this is either a documentation issue, or that the form (or status report) doesn't provide adequate feedback as to what is wrong.

Can someone confirm and update the issue summary to use the template to confirm what is needed here.

Also #2906490: "TEMPORARY/PUBLIC/PRIVATE FILES DIRECTORY" security error provides useless guidance has a patch (albeit for temporary stream wrapper) that could equally apply to private files.

Does anyone have an objection to closing this and working over there?

Looking at #2906490: "TEMPORARY/PUBLIC/PRIVATE FILES DIRECTORY" security error provides useless guidance it does indeed improve the documentation and status message for all three of public, private and temporary.

So closing this as a duplicate.

Commenting to add to this that you should not be setting 0777 in most cases, this gives anyone read, write and execute. Its also more permissions than are needed.

Permissions should be set to 0770 at most, Setting folder ownership to www-data and acces to 0700 should be sufficient.

Once you have done that clear cache and run cron and it should be created.