Stricter Permissions

Documentation Level:

Advanced

Documentation Status:

Incomplete

Stricter Permissions Configuration

Provides "defense in depth" that may limit the damage that may be done to your site if a malicious user gains the ability to execute arbitrary PHP code.
Requires that adding or updating modules be done through server-level access, such as FTP or SSH by an administrator.
Works better when the source code is being managed with version control, such as Git.
Disables the ability to download or update modules through the Backdrop user interface.

An example of the root of a Backdrop installation with stricter permissions would look like this:

drwxrwxr-x  8 kris     kris      4.0K Aug 27 08:43 core/
drwxrwxr-x 14 www-data www-data  4.0K Aug 14 17:52 files/
-rw-rw-r--  1 kris     kris      5.9K Jul 22 16:47 .htaccess
-rwxrw-r-x  1 kris     kris       578 Aug 27 08:43 index.php
drwxrwxr-x  2 kris     kris      4.0K May 24 21:44 layouts/
drwxrwxr-x 19 kris     kris      4.0K Aug  2 10:11 modules/
drwxrwxr-x  5 kris     kris      4.0K Aug 27 08:43 profiles/
-rw-rw-r--  1 kris     kris      3.9K Aug 26 14:40 README.md
-rw-rw-r--  1 kris     kris      1.2K May 24 21:44 robots.txt
-rw-rw-r--  1 kris     kris       15K Aug 27 08:43 settings.php
drwxrwxr-x  3 kris     kris      4.0K May 24 21:44 sites/
drwxrwxr-x  2 kris     kris      4.0K May 24 21:44 themes/

Note that the files directory (where Backdrop stores uploaded files) is owned by the web server user (www-data), while all other files are owned by the FTP/SSH user (kris). Write permissions is restricted only to the owning user in both cases.

Stricter permissions that match the example above may be set with the following commands:

# Switch to the root directory of Backdrop first.
cd /var/www/html/backdrop
# Set the ownership of the current directory and all children.
chown -R kris:kris .
# Set the owner of the "files" directory.
chown -R www-data:www-data files
# Set the permissions for files and directories.
find . -type f -exec chmod 664 '{}' \;
find . -type d -exec chmod 775 '{}' \;

Alternatively, permissions may be set using the Backdrop drush command fix-permissions.

`bee` Considerations

If you are using the bee command-line tool, you will need to make one more change because bee writes to the config directory, which is by default within the files directory. You will need to give the user kris (or anyone who will be using bee) permission to write to this directory; conversely, you will need to give the user www-data permission to modify files that were created by kris using bee.

The easiest way to do this is to add the following commands to the sequence above:

# Add user kris to the www-data group
sudo usermod -a -G www-data kris
# Add user www-data to the kris group
sudo usermod -a -G kris www-data

Stricter Permissions Configuration

bee Considerations

`bee` Considerations