Documentation Level: 
Documentation Status: 

Stricter Permissions Configuration

  • Provides "defense in depth" that may limit the damage that may be done to your site if a malicious user gains the ability to execute arbitrary PHP code.
  • Requires that adding or updating modules be done through server-level access, such as FTP or SSH by an administrator.
  • Works better when the source code is being managed with version control, such as Git.
  • Disables the ability to download or update modules through the Backdrop user interface.

An example of the root of a Backdrop installation with stricter permissions would look like this:

drwxrwxr-x  8 kris     kris      4.0K Aug 27 08:43 core/
drwxrwxr-x 14 www-data www-data  4.0K Aug 14 17:52 files/
-rw-rw-r--  1 kris     kris      5.9K Jul 22 16:47 .htaccess
-rwxrw-r-x  1 kris     kris       578 Aug 27 08:43 index.php
drwxrwxr-x  2 kris     kris      4.0K May 24 21:44 layouts/
drwxrwxr-x 19 kris     kris      4.0K Aug  2 10:11 modules/
drwxrwxr-x  5 kris     kris      4.0K Aug 27 08:43 profiles/
-rw-rw-r--  1 kris     kris      3.9K Aug 26 14:40
-rw-rw-r--  1 kris     kris      1.2K May 24 21:44 robots.txt
-rw-rw-r--  1 kris     kris       15K Aug 27 08:43 settings.php
drwxrwxr-x  3 kris     kris      4.0K May 24 21:44 sites/
drwxrwxr-x  2 kris     kris      4.0K May 24 21:44 themes/

Note that the files directory (where Backdrop stores uploaded files) is owned by the web server user (www-data), while all other files are owned by the FTP/SSH user (kris). Write permissions is restricted only to the owning user in both cases.

Stricter permissions that match the example above may be set with the following commands:

# Switch to the root directory of Backdrop first.
cd /var/www/html/backdrop

# Set the ownership of the current directory and all children.
chown -R kris:kris .

# Set the owner of the "files" directory.
chown -R www-data:www-data files

# Set the permissions for files and directories.
find . -type f -exec chmod 664 '{}' \;
find . -type d -exec chmod 775 '{}' \;

Alternatively, permissions may be set using the Backdrop drush command fix-permissions.