I recently changed to Cloudways where I have a server on Digital Ocean running Debian. I am about to roll out a Drupal installation into production, but cant get the file- and folder-permission to pass the automated security review (module) test.
My permissions look like this:
drwxr-xr-x 11 ggmpyecgmg www-data 4096 Jän 7 21:58 .
drwxr-xr-x+ 9 root ggmpyecgmg 4096 Jän 10 15:11 ..
-rw-r--r-- 1 ggmpyecgmg www-data 312 Jän 7 02:54 autoload.php
-rw-r--r-- 1 ggmpyecgmg www-data 3156 Jän 7 02:54 composer.json
-rw-r--r-- 1 ggmpyecgmg www-data 165592 Jän 7 02:54 composer.lock
drwxr-xr-x 12 ggmpyecgmg www-data 4096 Jän 7 02:54 core
-rw-r--r-- 1 ggmpyecgmg www-data 1025 Jän 7 02:54 .csslintrc
-rw-r--r-- 1 ggmpyecgmg www-data 357 Jän 7 02:54 .editorconfig
-rw-r--r-- 1 ggmpyecgmg www-data 151 Jän 7 02:54 .eslintignore
-rw-r--r-- 1 ggmpyecgmg www-data 41 Jän 7 02:54 .eslintrc.json
-rw-r--r-- 1 ggmpyecgmg www-data 1507 Jän 7 02:54 example.gitignore
drwxr-xr-x 12 ggmpyecgmg www-data 4096 Jän 10 16:19 files
-rw-r--r-- 1 ggmpyecgmg www-data 3858 Jän 7 02:54 .gitattributes
-rw-r--r-- 1 ggmpyecgmg www-data 7572 Jän 7 19:13 .htaccess
-rw-r--r-- 1 ggmpyecgmg www-data 2314 Jän 7 02:54 .ht.router.php
-rw-r--r-- 1 ggmpyecgmg www-data 549 Jän 7 02:54 index.php
drwxr-xr-x 5 ggmpyecgmg www-data 4096 Dez 23 07:38 libraries
drwxr-xr-x 49 ggmpyecgmg www-data 4096 Jän 10 16:18 modules
drwxr-xr-x 2 ggmpyecgmg www-data 4096 Dez 2 18:21 profiles
-rw-r--r-- 1 ggmpyecgmg www-data 1586 Jän 7 19:13 robots.txt
drwxr-xr-x 3 ggmpyecgmg www-data 4096 Dez 30 20:41 sites
drwxr-xr-x 3 ggmpyecgmg www-data 4096 Dez 30 20:36 themes
drwxr-xr-x 6 ggmpyecgmg www-data 4096 Jän 10 16:18 tmp
-rw-r--r-- 1 ggmpyecgmg www-data 804 Jän 7 02:54 update.php
drwxr-xr-x 19 ggmpyecgmg www-data 4096 Jän 7 02:54 vendor
-rw-r--r-- 1 ggmpyecgmg www-data 4566 Jän 7 02:54 web.config
In my understanding, www-data should not have any write permissions by now. But still, security review module promts: “The following files and directories appear to be writeable by your web server.” And then followed by a huge list of files in /modules, /core, /vendor and so on…
I changed ownership “chown -R ggmpyecgmg:www-data /drupal_root_folder”
Then I took away writing permission of www-data by “chmod -R g-w” for the root folder.
But still, everything seems to be writeable for apache.
Has anybody experience with setting up file permissions on Cloudways / Digital Ocean? Can anybody point me anything I might have overlooked?
I am a litte desperated already. Thank you very much in advance!
