Drupal Security: What permissions for settings.php?

The last couple of days as I get ready for my website relaunch and prepare the final production text for Drupal for Designers (which is currently getting ready for publication!), I've found myself in an interesting set of conversations over one of my recommendations in Drupal Development Tricks for Designers: mainly, that if you have to adjust settings.php in order to increase the memory limit for Drupal (a not uncommon occurrence), you must remember to set the permissions for that file back to 444 once you're done. This isn't an unusual recommendation; in fact, Lullabot recommends having your permissions set to 444, as does this thread at StackExchange.

That said, reaching out to my Twitter followers for more insight on this idea, a couple of folks made a good point: Having permissions set to 444 (which gives the web server, group, and the "world" read-only access to your settings.php file) can make your site's database credentials visible to anyone who can get shell access to your web server. This could easily become a problem in shared hosting environments.

Ultimately, I've come down on the side of caution. Since I do tend to host a decent number of my sites on shared environments, and many small projects will as well. Thus, I'm updating my recommendations to go with Kevin's recommendation (above) to give settings.php permissions of 400 once you make any changes to it, as this will make sure that your web server can read the file, but nobody else can. 

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <p> <img> <h1> <h2> <h3> <h4>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.