Problem/Motivation
We shouldn't allow open-access to the compiled php container.
Previously we'd had strict permissions on the sites/default/files/php folder.
Now it is getting 777 permissions.
Proposed resolution
Fix it
Remaining tasks
All of them
User interface changes
None
API changes
Original report
I am running test platform using Drupal 8 and noticed that the folder /sites/default/files/php kept getting its permission reset to 777, after searching the code base i have found the following places that are applying 777 permissions to folders/files.
I have not looked into what each instance is doing, but i am pretty sure that no folder should be set to have 777 permissions. Some in this list are for Vendor components, so not the responsibility of the Drupal team, but some are part of core Drupal.
grep -rI '777' . | grep -e mkdir -e chmod
./core/lib/Drupal/Component/PhpStorage/FileStorage.php: @chmod($path, 0777);
./core/lib/Drupal/Core/Archiver/ArchiveTar.php: if (!@drupal_mkdir($v_header['filename'], 0777)) {
./core/lib/Drupal/Core/Archiver/ArchiveTar.php: if (!@drupal_mkdir($p_dir, 0777)) {
./core/lib/Drupal/Core/FileTransfer/Local.php: if (!is_dir($directory) && @!mkdir($directory, 0777, TRUE)) {
./core/lib/Drupal/Core/Test/TestRunnerKernel.php: mkdir('public://simpletest', 0777, TRUE);
./core/modules/config/src/Tests/ConfigInstallProfileUnmetDependenciesTest.php: mkdir($dest, 0777, TRUE);
./core/modules/simpletest/src/BrowserTestBase.php: chmod($directory, 0777);
./core/modules/simpletest/src/InstallerTestBase.php: chmod($this->container->get('app.root') . '/' . $this->siteDirectory, 0777);
./core/modules/simpletest/src/WebTestBase.php: chmod($directory, 0777);
./core/modules/system/src/Tests/File/DirectoryTest.php: $this->settingsSet('file_chmod_directory', 0777);
./core/modules/system/src/Tests/File/DirectoryTest.php: $this->assertDirectoryPermissions($directory, 0777, 'file_chmod_directory setting is respected.');
./core/modules/system/src/Tests/File/HtaccessUnitTest.php: mkdir($public, 0777, TRUE);
./core/modules/system/src/Tests/File/HtaccessUnitTest.php: mkdir($private, 0777, TRUE);
./core/modules/system/src/Tests/File/HtaccessUnitTest.php: mkdir($stream, 0777, TRUE);
./core/modules/system/src/Tests/File/ReadOnlyStreamWrapperTest.php: $this->assertFalse(@chmod($uri, 0777), 'Unable to change file permissions when using read-only stream wrapper.');
./core/modules/system/src/Tests/File/UnmanagedSaveDataTest.php: $this->settingsSet('file_chmod_file', 0777);
./core/modules/system/src/Tests/Installer/DistributionProfileTest.php: mkdir($path, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerExistingSettingsNoProfileTest.php: mkdir($this->settings['config_directories'][CONFIG_ACTIVE_DIRECTORY]->value, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerExistingSettingsNoProfileTest.php: mkdir($this->settings['config_directories'][CONFIG_STAGING_DIRECTORY]->value, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerExistingSettingsTest.php: mkdir($this->settings['config_directories'][CONFIG_ACTIVE_DIRECTORY]->value, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerExistingSettingsTest.php: mkdir($this->settings['config_directories'][CONFIG_STAGING_DIRECTORY]->value, 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerLanguageDirectionTest.php: mkdir(\Drupal::root() . '/' . $this->siteDirectory . '/files/translations', 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerLanguagePageTest.php: mkdir(\Drupal::root() . '/' . $this->siteDirectory . '/files/translations', 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerTranslationMultipleLanguageTest.php: mkdir(DRUPAL_ROOT . '/' . $this->siteDirectory . '/files/translations', 0777, TRUE);
./core/modules/system/src/Tests/Installer/InstallerTranslationTest.php: mkdir(\Drupal::root() . '/' . $this->siteDirectory . '/files/translations', 0777, TRUE);
./core/modules/system/src/Tests/Installer/SingleVisibleProfileTest.php: mkdir($path, 0777, TRUE);
./core/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php: if (!is_dir($cacheDir) && !@mkdir($cacheDir, 0777, true)) {
./core/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php: if ( ! is_dir($directory) && ! @mkdir($directory, 0777, true)) {
./core/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FilesystemCache.php: if (false === @mkdir($filepath, 0777, true) && !is_dir($filepath)) {
./core/vendor/doctrine/cache/lib/Doctrine/Common/Cache/PhpFileCache.php: mkdir($filepath, 0777, true);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/PermissionsTestCase.php: $this->assertFalse(@chmod(vfsStream::url('root/test_directory/test.file'), 0777));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/PermissionsTestCase.php: $this->assertFalse(@chmod(vfsStream::url('root/test_directory/test.file'), 0777));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/UnlinkTestCase.php: $root->getChild('test_directory')->chmod(0777);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/UnlinkTestCase.php: $root->getChild('test_directory')->getChild('test.file')->chmod(0777);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamGlobTestCase.php: mkdir(vfsStream::url('example/test/'), 0777, true);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamResolveIncludePathTestCase.php: mkdir('vfs://root/a/path', 0777, true);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamUmaskTestCase.php: mkdir(vfsStream::url('root/newdir'), 0777);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirSeparatorTestCase.php: mkdir('vfs://root/dir\bar\foo', true, 0777);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertFalse(mkdir(vfsStream::url('another/more'), 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertTrue(mkdir($this->fooURL . '/another/more', 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertTrue(mkdir($this->fooURL . '/another/../more/.', 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertFalse(mkdir($this->baz1URL . '/another/more', 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: $this->assertTrue(mkdir($this->fooURL . '/another/more', 0777, true));
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: mkdir(vfsStream::url('testFolder') . '/testFolder/subTestFolder', 0777, true);
./core/vendor/mikey179/vfsStream/src/test/php/org/bovigo/vfs/vfsStreamWrapperDirTestCase.php: mkdir(vfsStream::url('testFolder') . '/testFolder/subTestFolder', 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/Clover.php: mkdir(dirname($target), 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/Crap4j.php: mkdir(dirname($target), 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML.php: mkdir($target . $id, 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML.php: mkdir($dir, 0777, true);
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/HTML.php: if (@mkdir($directory, 0777, true)) {
./core/vendor/phpunit/php-code-coverage/src/CodeCoverage/Report/XML.php: } elseif (!@mkdir($dir, 0777, true)) {
./core/vendor/phpunit/phpunit/src/TextUI/Command.php: chmod($tempFilename, 0777 & ~umask());
./core/vendor/phpunit/phpunit/src/Util/Printer.php: mkdir(dirname($out), 0777, true);
./core/vendor/symfony/class-loader/Symfony/Component/ClassLoader/ClassCollectionLoader.php: mkdir(dirname($cache), 0777, true);
./core/vendor/symfony/class-loader/Symfony/Component/ClassLoader/Tests/ClassMapGeneratorTest.php: mkdir($this->workspace, 0777, true);
./core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/File/File.php: if (false === @mkdir($directory, 0777, true) && !is_dir($directory)) {
./core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/Handler/NativeFileSessionHandler.php: mkdir($baseDir, 0777, true);
./core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/MockFileSessionStorage.php: mkdir($savePath, 0777, true);
./core/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Tests/FileBagTest.php: mkdir(sys_get_temp_dir().'/form_test', 0777, true);
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/HttpCache/Store.php: mkdir($this->root, 0777, true);
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/HttpCache/Store.php: if (!is_dir(dirname($path)) && false === @mkdir(dirname($path), 0777, true)) {
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/HttpCache/Store.php: if (!is_dir(dirname($path)) && false === @mkdir(dirname($path), 0777, true)) {
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/Kernel.php: if (false === @mkdir($dir, 0777, true) && !is_dir($dir)) {
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/Profiler/FileProfilerStorage.php: mkdir($this->folder, 0777, true);
./core/vendor/symfony/http-kernel/Symfony/Component/HttpKernel/Profiler/FileProfilerStorage.php: mkdir($dir, 0777, true);
./core/vendor/twig/twig/lib/Twig/Environment.php: if (false === @mkdir($dir, 0777, true)) {
./core/vendor/twig/twig/test/Twig/Tests/EnvironmentTest.php: mkdir(dirname($cache), 0777, true);
./core/vendor/twig/twig/test/Twig/Tests/FileCachingTest.php: @mkdir($this->tmpDir, 0777, true);