Setting the file permissions on your server can help improve the security of your site. The permissions that are used may vary based on your server configuration, your level of access, and the way you intend to use your Backdrop site.

Choosing Permissions Level

There are two common configurations of file permissions for Backdrop:

  • Stricter permissions: Where the web server user (commonly www-data or apache) cannot write files. A separate user account (accessed via FTP or SSH) owns the files.
  • Looser permissions: Where the web server user and the owner of the files is the same.

In many cases, the level of permissions that should be set on the files is determined by the level of active maintenance you perform, and on what servers your site resides. If you wish to use the built-in user interfaces for installing and updating modules, the looser permissions are required. And if you are using shared hosting (such as Bluehost, A2 Hosting, Namecheap, GoDaddy, or many others), then looser permissions may be your only choice, because on most shared hosts the web server and the FTP/SSH user are the same.

If you manage your site's code with a version control system (such as Git) and you have full administrative abilities on your server, then stricter permissions are recommended.

Stricter Permissions Configuration

  • Provides "defense in depth" that may limit the damage that may be done to your site if a malicious user gains the ability to execute arbitrary PHP code.
  • Requires that adding or updating modules be done through server-level access, such as FTP or SSH by an administrator.
  • Works better when the source code is being managed with version control, such as Git.
  • Disables the ability to download or update modules through the Backdrop user interface.

An example of the root of a Backdrop installation with stricter permissions would look like this:

drwxrwxr-x  8 kris     kris      4.0K Aug 27 08:43 core/
drwxrwxr-x 14 www-data www-data  4.0K Aug 14 17:52 files/
-rw-rw-r--  1 kris     kris      5.9K Jul 22 16:47 .htaccess
-rwxrw-r-x  1 kris     kris       578 Aug 27 08:43 index.php
drwxrwxr-x  2 kris     kris      4.0K May 24 21:44 layouts/
drwxrwxr-x 19 kris     kris      4.0K Aug  2 10:11 modules/
drwxrwxr-x  5 kris     kris      4.0K Aug 27 08:43 profiles/
-rw-rw-r--  1 kris     kris      3.9K Aug 26 14:40 README.md
-rw-rw-r--  1 kris     kris      1.2K May 24 21:44 robots.txt
-rw-rw-r--  1 kris     kris       15K Aug 27 08:43 settings.php
drwxrwxr-x  3 kris     kris      4.0K May 24 21:44 sites/
drwxrwxr-x  2 kris     kris      4.0K May 24 21:44 themes/

Note that the files directory (where Backdrop stores uploaded files) is owned by the web server user (www-data), while all other files are owned by the FTP/SSH user (kris). Write permissions is restricted only to the owning user in both cases.

Stricter permissions that match the example above may be set with the following commands:

# Switch to the root directory of Backdrop first.
cd /var/www/html/backdrop

# Set the ownership of the current directory and all children.
chown -R kris:kris .

# Set the owner of the "files" directory.
chown -R www-data:www-data files

# Set the permissions for files and directories.
find . -type f -exec chmod 664 '{}' \;
find . -type d -exec chmod 775 '{}' \;

Alternatively, permissions may be set using the Backdrop drush command fix-permissions.

Looser Permissions Configuration

  • Enables the ability to download modules from BackdropCMS.org (via the Installer module).
  • Enables the ability to updates to modules through the Backdrop user interface (via the Installer module).
  • Will eventually be required for enabling automatic self-updates (as planned for future versions of Backdrop).
  • May be the only option on shared hosting, where the web user and FTP/SSH user are the same.

An example of the root of a Backdrop installation with looser permissions would look like this:

drwxrwxr-x  8 kris kris  4.0K Aug 27 08:43 core/
drwxrwxr-x 14 kris kris  4.0K Aug 14 17:52 files/
-rw-rw-r--  1 kris kris  5.9K Jul 22 16:47 .htaccess
-rwxrwxr-x  1 kris kris   578 Aug 27 08:43 index.php
drwxrwxr-x  2 kris kris  4.0K May 24 21:44 layouts/
drwxrwxr-x 19 kris kris  4.0K Aug  2 10:11 modules/
drwxrwxr-x  5 kris kris  4.0K Aug 27 08:43 profiles/
-rw-rw-r--  1 kris kris  3.9K Aug 26 14:40 README.md
-rw-rw-r--  1 kris kris  1.2K May 24 21:44 robots.txt
-rw-rw-r--  1 kris kris   15K Aug 27 08:43 settings.php
drwxrwxr-x  3 kris kris  4.0K May 24 21:44 sites/
drwxrwxr-x  2 kris kris  4.0K May 24 21:44 themes/

This is typical of a shared hosting server, where everything (including the files directory) is owned by the same user. On some shared hosts, executed PHP files (such as index.php) need to be marked executable. Executable PHP files within Backdrop include:

index.php
core/install.php
core/update.php
core/cron.php

And there is a directory of executable shell scripts under core/scripts, but these are not commonly needed to run a Backdrop site. Looser permissions that match the example above may be set on your server with the following commands:

# Switch to the root directory of Backdrop first.
cd ~/public_html

# Set the owner and group for all files.
chown -R kris:kris . 

# Set the permissions for files and directories.
find . -type f -exec chmod 664 '{}' \;
find . -type d -exec chmod 775 '{}' \;

# Mark executable PHP scripts as executable.
chmod 774 index.php
chmod 774 core/install.php
chmod 774 core/update.php
chmod 774 core/cron.php