Drupal 6 Essential Training
Illustration by Don Barnett

Understanding security and permissions


From:

Drupal 6 Essential Training

with Tom Geller

Start your free trial now, and begin learning software, business and creative skills—anytime, anywhere—with video instruction from recognized industry experts.

Start Your Free Trial Now

Video: Understanding security and permissions

The best site should be protected with the best security. So let's take a look at some steps you can take from the very beginning to ensure that you have complete control over who can access and change your content. We won't go into how to configure user roles within Drupal in this video. We will do that in another video. But a little bit of planning now will save you a lot of meddling about when that time comes and could prevent some disastrous security errors. When you run a Drupal site, you will be concerned with security on three levels. First, the server, which contains all the core programs that run Drupal, any additional programs you have added, such as modules and any custom programming that you created. Server security is especially important because some configuration files store passwords in plain text. If your server security is bad, someone might be able to break in and look at those passwords without you ever knowing that it happened. MySQL contains virtually all of the content of your site. If your MySQL security is improperly set, an attacker could change the site's content, including matters relating to your user's identities. With full access to the MySQL database, the attacker can also change user passwords effectively giving them full access while removing yours.
Expand all | Collapse all
  1. 4m 36s
    1. Welcome
      49s
    2. Using the example files
      3m 47s
  2. 28m 50s
    1. Drupal is a CMS
      7m 43s
    2. Choosing Drupal
      5m 31s
    3. Checking Drupal's requirements
      4m 26s
    4. Understanding the inner workings of Drupal
      4m 32s
    5. Meeting the Drupal community
      6m 38s
  3. 11m 26s
    1. Learning key terms in Drupal
      5m 19s
    2. Touring Drupal's interface
      6m 7s
  4. 34m 28s
    1. Installing WAMP and Drupal on Windows
      9m 41s
    2. Installing MAMP
      4m 34s
    3. Setting up the database on a Mac
      2m 1s
    4. Downloading and installing Drupal on a Mac
      6m 32s
    5. Troubleshooting installation problems
      3m 49s
    6. Automating updates with cron
      7m 51s
  5. 25m 34s
    1. Setting up clean URLs
      5m 51s
    2. Backing up your Drupal site
      3m 31s
    3. Restoring your Drupal site from backup
      4m 18s
    4. Wiping your Drupal installation clean
      2m 6s
    5. Updating Drupal
      9m 48s
  6. 15m 35s
    1. Using the Administration menu
      6m 20s
    2. Setting site information
      4m 50s
    3. Setting the theme
      4m 25s
  7. 35m 6s
    1. Understanding security and permissions
      7m 2s
    2. Controlling site access with user management
      3m 39s
    3. Creating users
      7m 57s
    4. Setting user profiles
      9m 40s
    5. Creating contact forms
      6m 48s
  8. 19m 18s
    1. Creating your site's basic info pages
      7m 12s
    2. Understanding page layout
      5m 40s
    3. Creating a flexible layout with blocks
      6m 26s
  9. 15m 34s
    1. Monitoring performance
      4m 51s
    2. Recovering from disasters
      7m 37s
    3. Improving administration skills
      3m 6s
  10. 41m 1s
    1. Understanding nodes
      6m 49s
    2. Creating basic content: Stories and pages
      7m 9s
    3. Enabling other content types
      9m 22s
    4. Adding blogs
      3m 48s
    5. Adding forums
      6m 56s
    6. Adding polls
      6m 57s
  11. 34m 48s
    1. Exploring content categories
      7m 44s
    2. Exchanging content via RSS
      9m 47s
    3. Using input filters
      7m 40s
    4. Managing comments
      9m 37s
  12. 38m 5s
    1. Configuring your theme
      11m 27s
    2. Changing your theme's graphics
      4m 59s
    3. Finding and installing a new theme
      8m 56s
    4. Understanding Cascading Style Sheets (CSS)
      5m 56s
    5. Deciphering CSS files
      6m 47s
  13. 22m 38s
    1. Finding modules
      6m 52s
    2. Unpacking and installing modules
      6m 29s
    3. Configuring modules
      3m 49s
    4. Implementing complex modules
      5m 28s
  14. 32m 10s
    1. Ensuring automated updates with poormanscron
      3m 10s
    2. Defining custom content types with CCK
      12m 53s
    3. Stopping spam using a CAPTCHA
      10m 43s
    4. Using a WYSIWYG text editor
      5m 24s
  15. 22m 18s
    1. Getting around with multilevel menus
      7m 26s
    2. Building custom menus
      5m 42s
    3. Creating easy-to-navigate books
      9m 10s
  16. 20m 18s
    1. Changing page templates with PHP
      8m 15s
    2. Using PHP in content
      5m 20s
    3. Implementing PHP snippets
      6m 43s
  17. 10m 14s
    1. Launching your site
      5m 51s
    2. Joining the Drupal community
      4m 23s
  18. 15s
    1. Goodbye
      15s

please wait ...
Watch the Online Video Course Drupal 6 Essential Training
6h 52m Beginner Aug 25, 2008

Viewers: in countries Watching now:

Drupal is a free, open-source content management system (CMS) for a variety of platforms. It has a robust user community and easy-to-use administration features. Drupal Essential Training covers all the important aspects of installing, configuring, customizing, and maintaining a Drupal-powered website. Instructor Tom Geller explores blogs, discussion forums, member profiles, and other features while demonstrating the steps required to make Drupal perform. He also teaches fundamental concepts and skills along the way, including installation, backups, and updates; security and permissions; flexible page layouts and CSS; menu navigation; and performance monitoring and disaster recovery. He also discusses how to select and install the community-supported modules that further expand Drupal's capabilities, and gives experienced PHP programmers tips on customizing page templates. Example files accompany the course.

Topics include:
  • Understanding the inner workings of Drupal
  • Creating stories, pages, blogs, forums, and polls
  • Managing users and comments
  • Setting and customizing themes
  • Exchanging content via RSS
  • Stopping comment spam with a CAPTCHA
  • Launching a site and joining the Drupal community
Subject:
Web
Software:
Drupal
Author:
Tom Geller

Understanding security and permissions

The best site should be protected with the best security. So let's take a look at some steps you can take from the very beginning to ensure that you have complete control over who can access and change your content. We won't go into how to configure user roles within Drupal in this video. We will do that in another video. But a little bit of planning now will save you a lot of meddling about when that time comes and could prevent some disastrous security errors. When you run a Drupal site, you will be concerned with security on three levels. First, the server, which contains all the core programs that run Drupal, any additional programs you have added, such as modules and any custom programming that you created. Server security is especially important because some configuration files store passwords in plain text. If your server security is bad, someone might be able to break in and look at those passwords without you ever knowing that it happened. MySQL contains virtually all of the content of your site. If your MySQL security is improperly set, an attacker could change the site's content, including matters relating to your user's identities. With full access to the MySQL database, the attacker can also change user passwords effectively giving them full access while removing yours.

Finally, we have Drupal security, flaws in which can cause very similar effects to flaws in MySQL security because really, Drupal is essentially just a nice user interface for the database and the web server. So while it would take a MySQL expert to cause particular vandalism through MySQL security flaws, even a novice attacker with full Drupal access could change content and passwords easily and efficiently. So let's take a look at Drupal security. In short, here's what you need to know.

As it's installed by default, Drupal security is user based, that is, you categorize users as being members of a group and set limits on what members of that group can do. Among the users, there is one super user. That's the administrator that you created when you first set up Drupal. That one has the ID of 1, if you go into the MySQL database. The second part of Drupal security is the two groups that are automatically built in, one is called Anonymous, the other one is called Authenticated.

Authenticated users are all those who have signed up for your site, while Anonymous users are those who just happened to be browsing it without signing in. Finally, Drupal security allows you add more groups as you need them and you probably will do that if you have a collaborative site. So for example, you may have one group that's Editors and one group that's Writers and another group that's Graphic Designers each one of which can only affect their particular area. There are other ways to controlled user access. Most important however, is the permissions administration screen. You get to that screen by going to Administer and then scrolling down to Permissions. Here you see all of the different kinds of permissions that you can set. Each one of these lines is a different sort of permission and each one of the columns is a different sort of user. As you can see, you have your two built-in users here, Anonymous who have not signed in and Authenticated, who have. As we scroll down, there is a nice little trick here that Anonymous and Authenticated stays at the top, so you always know which column you are working with. That's new in Drupal 6 by the way.

By default, all users can access content, however that's pretty much it. So anytime you add an additional module or want to give permission to your Authenticated users to do something, you have to give them that permission specifically by turning it ON with a checkbox and then click on Save permissions. Another way that you can change Permissions is to go in to Administer and then instead of seeing it by Task, see it by Module. In each one of these groups, you will see a Configure permissions, which will bring you specifically to the part of that permission screen that deals with that particular Module. For example, Block, let's click on Configure permissions and it automatically jumps down to the Blocks area, which has two different things that can be set. Besides giving you ways to control access through the permission screen, Drupal also offers some limited ways of looking at access logs, which can be useful for tracking attacks. For example, a series of failed login attempts in very close succession could be a sign that someone is using an automated program to guess at your users passwords. Let's go and take a look at some of those reports. Go to Administer and then scroll down to Reports and here you can see Recent Log Entries which is everything. If there have been any Access Denied Errors, you can see those and then if people happen to go to pages that don't exist, you can even see those. Let's take a look at log entries here. This is in a reverse chronological order, so the most recent ones are at the top. But you could change that by clicking on any of these highlighted columns. For example, to sort by type, click here and then to sort in the opposite direction, that is from Z to A, you would click again. Let's go back to date and then click again to see it again from most recent to least recent. In addition, you can filter these log messages, for example, only to show those things that were an emergency level or of another high level. If you hold down the Shift key, for example, we can see everything from warning on up and then click Filter. That cuts out a lot of the noise that might otherwise distract you.

Finally, we should mention of some parts of Drupal that are particularly vulnerable to attacks. First of all, any third party modules, which were programmed by individuals, and then contributed to the Drupal project, they tend not to have as much oversight as the main Drupal project which of course, has dozens of people looking at it at any one time. Secondly, PHP and MySQL issues are always popping up and this is much larger than Drupal. It's a good idea for Drupal administrators to keep an eye on these matters as well although, if you follow the Drupal news, they will usually report any that affect Drupal. Finally, most important to watch out for is good old social engineering and by that, I mean getting e-mails that say, I am your administrator, give me your password or anything else that's basically tricking your users.

As always, your main source of information about Drupal should be drupal.org specifically for security purposes, drupal.org/security. On drupal.org/security page, you will see a list of advisories in reverse chronological order. So the most recent show up at the top. This video briefly discusses measures to protect the very top level, that is to say, Drupal itself. But then again, your Drupal installation is available to everybody on the internet, if you make it public. Fortunately, a knowledgeable application of Drupal's user based security systems is enough to stop most attacks.

Find answers to the most frequently asked questions about Drupal 6 Essential Training .


Expand all | Collapse all
please wait ...
Q: While following along to the installation instructions in the “Installing WAMP and Drupal on Windows” chapter in the Drupal Essential Training title, an error occurs when attempting to open the local host page. Nothing appears except for an error reading “WAMPSERVER server offline.” What is causing this?
A: There is a known problem with some versions of WAMP that include a version of PHP (5.3) that some versions of Drupal is not compatible with. See http://tomgeller.com/content/tips-running-drupal-windows-using-wamp#comment-831 for more information.
If that is not causing the issue, reference the tips at http://tomgeller.com/content/tips-running-drupal-windows-using-wamp.
If you don't see the solution at either of those links, try using another AMP stack, such as XAMPP or the Acquia stack installer. See http://tomgeller.com/content/what-hells-wrong-drupal-wamp for discussion about these.
Q: After installing XAMPP and running Drupal for the first time, the Administration menu does not appear. What is the reason for this?
A: There are several possible problems. Here are some likely solutions. (These may also solve problems encountered with other AMP stacks.)
  1. Increase XAMPP's PHP allocation.
  2. Check to make sure all XAMPP's paths are correct and that permissions are correct. If the database information appears, but not Drupal's supporting files, and an included theme is being used, the supporting files will be in the /modules folder.
  3. Another solution is to not use WAMP or XAMPP. One option is to use Acquia's Drupal Stack Installer ("DAMP"), which can be found at http://www.acquia.com/downloads. However, that installs Acquia Drupal, which is a version of "normal" Drupal extended with additional modules. If  only core Drupal is desired, see the instructions at http://acquia.com/blog/kieran/try-drupal-7-alpha-your-laptop-or-desktop. (The instructions are for Drupal 7, but will work for Drupal 6 as well.)
Q: In the "Using the example files" movie, the method of importing information to the database is shown, using the backup in Chapter 10. When attempting to do this, the following error is shown: "No data was received to import. Either no file name was submitted, or the file size exceeded the maximum size permitted by your PHP configuration. See FAQ 1.16." The system is running the latest versions of Apache, PhP and MySQL, on Windows Vista. What could be causing the problem?
A: This is probably caused because your AMP stack allocates too little memory to PHP. 
 
That's especially true if you're using WAMP, which only gives PHP 2MB of memory, when it really needs at least 16MB. 
You'll see the issue if you go to the MySQL-controlling phpMyAdmin screen (probably at http://localhost/phpMyAdmin) and click "Import": The maximum file size allowed is 2,048K. That's only 2MB, and the databases for most Drupal sites are much larger than that. (The example site for Drupal Essential Training gets as big as 5MB.) The video "Installing WAMP and Drupal on Windows" shows (at around 3:30) where the php.ini file is, but here are some more-complete instructions to increase that memory limit. 

  1. Click the WAMP icon in your system tray.
  2. Select "PHP". In the side menu, select "php.ini" to open a file containing PHP's configuration options.
  3. Search for the line, "upload_max_filesize = 2M".
  4. Change it to "upload_max_filesize = 32M" (or whatever you like). 
  5. Save the file and restart WAMP. (Better yet, restart your computer entirely to be sure. I'm frankly not sure whether it makes a difference.)
  6. Now go back to that "Import" screen in phpMyAdmin: You should notice that the limit has changed.
Q: I don't remember the default username and password used demonstrate Drupal.
A: The default username used in the course is "admin"; the default password is "booth".
Q: How can I change Drupal's administrative username and password?
A: If for some reason the default exercise file username (admin) and password (booth) don't work, you can change them in the database itself using phpMyAdmin. (This technique is demonstrated in a video from Chapter 8, "Recovering from disasters".)

  1. Open your Drupal database with phpMyAdmin.
  2. Go to the "users" table. Click the Browse icon.
  3. For the row where uid = 1, click the Edit icon. (Note the value under the "Name" column: That's the administrator's username.)
  4. In the "pass" row, select "MD5" under the "Function" column
  5. In the same row, enter your new password under the "Value" column.
  6. At the bottom of the screen, click the "Go" button. You should now be able to log in with that username and new password.
Q: In Windows Vista, the WAMP icon disappears from the system tray after a certain amount of time. How do I get it to reappear?
A: To make the WAMP icon reappear (so that you can access localhost, phpmyadmin, php.ini, etc.), you have to activate the "start WAMP server" icon (from start menu, desktop or wherever). The system tray icon will reappear.
Q: My .htaccess file disappeared. What caused this?
A: A few times during the Drupal Essential Training video series, the instructor says to copy a Drupal installation by selecting all the files in the folder and then "dragging and dropping" them, either to a server or another location on your local computer. This is not the best way to do so, as the hidden file ".htaccess" will not be copied. 

There are two ways to get around that problem: 
  1. When installing Drupal for the first time: Instead of copying files from the Drupal folder, move the entire folder to its target location and rename it. This is the easiest solution for those without experience with Unix. 
  2. Use the command-line interface to copy the .htaccess file.
Sorry for the error.
Q: In the video, the instructor says the current version of Drupal is 6.3, but on the drupal.org site, the latest version is 6.17. Which is the newer version of Drupal?
A: Drupal 6.17 is newer than version 6.3. For some reason, the the version numbers go 6.3, 6.4... 6.9, 6.10... 6.17. It’s counter-intuitive, but that’s the order.
Q: My WAMP phpMyadmin will not allow me to upload the exercise files. It returns this message: "No data was received to import. Either no file name was submitted, or the file size exceeded the maximum size permitted by your PHP configuration. See FAQ 1.16." There was no previous database to drop, so what do I need to do to make this work?
A: This is a common problem, caused not by Drupal, but by WAMP. WAMP only allows you to upload files of 2MB or smaller, which is much too small. The solution is detailed at http://tomgeller.com/cant-import-a-drupal-site-in-windows.
 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Join now Already a member? Log in

* Estimated file size

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Drupal 6 Essential Training.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.