Review Drupal container permissions

[birkland]

Review Drupal site directory permissions Some directories exist that have 777 permissions. Example: The “core” Drupal directory has things as follows drwxrwxrwx 22 nginx nginx 704 Jul 23 17:53 includes

-rw-r--r-- 1 nginx nginx 1.8K Jul 23 17:53 install.php
drwxrwxrwx 5 root root 160 Jul 23 17:54 lib
drwxrwxrwx 78 nginx nginx 2.4K Jul 23 17:54 misc
drwxrwxrwx 83 nginx nginx 2.6K Jul 23 17:56 modules
-rw-r--r-- 1 nginx nginx 3.6K Jul 23 17:56 package.json
-rw-r--r-- 1 nginx nginx 14.6K Jul 23 17:56 phpcs.xml.dist
-rw-r--r-- 1 nginx nginx 4.1K Jul 23 17:56 phpunit.xml.dist
-rw-r--r-- 1 nginx nginx 660 Jul 23 17:56 postcss.config.js
drwxrwxrwx 17 nginx nginx 544 Jul 23 17:57 profiles
-rw-r--r-- 1 nginx nginx 1.8K Jul 23 17:57 rebuild.php
drwxrwxrwx 23 nginx nginx 736 Jul 23 17:57 scripts
drwxrwxrwx 7 nginx nginx 224 Jul 23 17:57 tests
drwxrwxrwx 9 nginx nginx 288 Jul 23 17:57 themes

In general the “nginx” user should not have ownership of all Drupal directories. Currently this is being set in the Dockerfile. The web user generally should only have write access to the public and private files directories.

[htpvu]

Still a valid ticket. should be done prior to launch.

[htpvu]

more context on the security audit recommendations https://docs.google.com/document/d/177IDJcBUJ0r2n_sngtVigFtxIJK-LvH4V8_0KiLoAec/edit