Drupal and permissions - avoiding 'The directory sites/default/files is not writable' error
Have you moved a Drupal site to another server and received the error 'The directory sites/default/files is not writable'? The site worked on the previous server, and the permissions seem the same. Ah, an easy fix...make the permissions for the files directory 777.
Noooo!
Let's take a look at what the numbers in the permissions setting mean.
There are 3 types of permission: read, write and execute, and they refer to the ability to perform that activity on the file or directory. The one that has to be guarded is write access, because that's the one that could allow credents to trash your files.
There are also three classes of user, with regards to permissions: owner, group, and other. The owner is the user that owns the file. The group is the group that the file should be associated with. Every user, including mysql, apache and other processes, belong to a group. The final class if for everyone else. So, for example, you may want to allow a file's owner to do everything with the file, people in a certain group to be able to read and execute the file, but not write to it, and everyone else to have no access at all.
The permssions can be envisoned as a matrix, as follows, with each class being able to have any or none of the three possible permissions.
| OWNER | GROUP | OTHER | |||||||
| R | W | X | R | W | X | R | W | X | |
The permissions value, such as 777, is an octal value. Each of the digits relates to a class, in the order of owner, group and other. Each digit represents bits, the sum of values based on read access in any class being 4, write being 2 and execute being 1. The combinations are as follows:
| R | W | X | Value |
| Yes | Yes | Yes | 7 |
| Yes | Yes | No | 6 |
| Yes | No | Yes | 5 |
| Yes | No | No | 4 |
| No | Yes | Yes | 3 |
| No | Yes | No | 2 |
| No | No | Yes | 1 |
| No | No | No | 0 |
Thus, permissions of 777 means that everyone can read, write and execute the file. You almost never want the permissions for other to be everyone. The typical permissions for a file should be
| OWNER | GROUP | OTHER | |||||||
| R | W | X | R | W | X | R | W | X | |
| x | x | x | x | x | x | x | |||
which translates to
| OWNER | GROUP | OTHER | |||||||
| R | W | X | R | W | X | R | W | X | |
| 4 | 2 | 1 | 4 | 0 | 1 | 4 | 0 | 1 | |
| 7 | 5 | 5 | |||||||
755, well, actually %755, with the '%' representing an octal value. This allows only the owner of the file to write to the file. Keep in mind that 'owner' doesn't mean the user who uploaded an image or created a piece of content. It means the process on the server that created the file, which will typically be the Apache web server, or whichever you are using. So, how do you change the permissions of your default/files directories to be 755 instead of 777? The chmod command:
sudo chmod [path-to-my-Drupal-directory]/sites/default/files 755 -R
This will change the default/files permissions to 755 and the permissions of every file and directory in the default/files tree, so, for example, default/files/images.
Now that you've done that, are you getting an error that the default/files directory isn't writable? If so, the problem is not that the permissions aren't open to the world as 777, but that the directories and files do not recognize your web server as the owner. When you move a site to a new location, often you become the owner when injecting them into the new site, rather than the web server. But it isn't you that will be trying to write to them later, it's Apache. So, simply change the owner and group to that of your web server. You will need to find out what that combination is for your server, but on Ubuntu it is www-data for both. To change the owner and group of a file, use the chown command:
sudo chown www-data:www-data [path-to-my-Drupal-directory]/sites/default/files -R
where the first occurrence is the user and the second is the group. Having done this, the web server will be recognized as the owner of the file, and 755 permissions will be adequate to allow it to write to the files it needs to without giving other users that permission.
tip