Is there any published guidance for the proper/minimum/hardened file permissions for Discourse?
Specifically, I’m looking for a set of idempotent commands using
chmod to strip the permissions to be as low as possible and only grant them when necessary to the minimum privileged user/group.
I’d like this for both
- The files/dirs in the
/var/discourse/dir (and other important dirs) on the Discourse docker host and
- The files/dirs inside the Discourse docker container, especially the files/dirs inside the web server’s document root
For example, I’d like to make it so all the files/dirs in the Discourse container’s exposed document root:
- Have 0 world permissions
- Be read-write (2) to the web server’s user iff write access is required (ie: photo/attachment uploads dir)
- Be read-only (4) to the web server’s user otherwise
- Only have execute permission (1) if it’s a dir or is otherwise required for a file