Minimum (Hardened) File Permissions

maltfield · April 23, 2020, 11:05am

Is there any published guidance for the proper/minimum/hardened file permissions for Discourse?

Specifically, I’m looking for a set of idempotent commands using chown and chmod to strip the permissions to be as low as possible and only grant them when necessary to the minimum privileged user/group.

I’d like this for both

The files/dirs in the /var/discourse/ dir (and other important dirs) on the Discourse docker host and
The files/dirs inside the Discourse docker container, especially the files/dirs inside the web server’s document root

For example, I’d like to make it so all the files/dirs in the Discourse container’s exposed document root:

Have 0 world permissions
Be read-write (2) to the web server’s user iff write access is required (ie: photo/attachment uploads dir)
Be read-only (4) to the web server’s user otherwise
Only have execute permission (1) if it’s a dir or is otherwise required for a file

Thank you

maltfield · May 18, 2020, 11:18am

bump. Can the developers please chime-in? This would be very helpful to be documented…

sam · May 21, 2020, 6:12am

Best I can offer is look at our container web.yml in discourse_docker it sets permissions up there.

This is off beaten path you will need to experiment.

Topic		Replies	Views
Where to Upload a File support	7	4123	September 25, 2023
How i can manage roles for moderators and administrators? support	5	821	June 12, 2022
How install discourse in home path? installation	4	2803	December 12, 2015
Broken link in documentation? support upload , documentation	2	944	May 13, 2015
Bootsnap::CompileCache::PermissionError installation	12	1385	March 4, 2021

Minimum (Hardened) File Permissions

Related Topics