Drupal configuration file weak file permissions
Description
The Drupal configuration file ./sites/default/settings.php has overly permissive file permissions, allowing the web server user (typically www-data, apache, or nobody) to modify it. According to Drupal security best practices, configuration files should have 644 permissions (read/write for owner, read-only for group and others) and directories should have 755 permissions. When these files are writable by the web server, they become vulnerable to unauthorized modification through web application exploits.
Remediation
Immediately restrict file permissions on the Drupal configuration files to prevent unauthorized modifications. Connect to your server via SSH and execute the following commands from your Drupal installation root directory:
chmod 644 sites/default/settings.php chmod 644 sites/default/settings.local.php chmod 755 sites/default/
After applying these permissions, verify the changes using:
ls -la sites/default/settings.php
The output should show -rw-r--r-- permissions. Additionally, ensure that the file owner is your user account (not the web server user) by running:
chown your_username:your_group sites/default/settings.php
After remediation, audit your configuration files for any unauthorized modifications and review server logs for suspicious activity that may have occurred while the files were writable.