Minimum (Hardened) File Permissions

Is there any published guidance for the proper/minimum/hardened file permissions for Discourse?

Specifically, I’m looking for a set of idempotent commands using chown and chmod to strip the permissions to be as low as possible and only grant them when necessary to the minimum privileged user/group.

I’d like this for both

  1. The files/dirs in the /var/discourse/ dir (and other important dirs) on the Discourse docker host and
  2. The files/dirs inside the Discourse docker container, especially the files/dirs inside the web server’s document root

For example, I’d like to make it so all the files/dirs in the Discourse container’s exposed document root:

  1. Have 0 world permissions
  2. Be read-write (2) to the web server’s user iff write access is required (ie: photo/attachment uploads dir)
  3. Be read-only (4) to the web server’s user otherwise
  4. Only have execute permission (1) if it’s a dir or is otherwise required for a file

Thank you

bump. Can the developers please chime-in? This would be very helpful to be documented…

Best I can offer is look at our container web.yml in discourse_docker it sets permissions up there.

This is off beaten path you will need to experiment.

2 Likes