Minimum (Hardened) File Permissions

maltfield · April 23, 2020, 11:05am

Is there any published guidance for the proper/minimum/hardened file permissions for Discourse?

Specifically, I’m looking for a set of idempotent commands using chown and chmod to strip the permissions to be as low as possible and only grant them when necessary to the minimum privileged user/group.

I’d like this for both

The files/dirs in the /var/discourse/ dir (and other important dirs) on the Discourse docker host and
The files/dirs inside the Discourse docker container, especially the files/dirs inside the web server’s document root

For example, I’d like to make it so all the files/dirs in the Discourse container’s exposed document root:

Have 0 world permissions
Be read-write (2) to the web server’s user iff write access is required (ie: photo/attachment uploads dir)
Be read-only (4) to the web server’s user otherwise
Only have execute permission (1) if it’s a dir or is otherwise required for a file

Thank you

maltfield · May 18, 2020, 11:18am

bump. Can the developers please chime-in? This would be very helpful to be documented…

sam · May 21, 2020, 6:12am

Best I can offer is look at our container web.yml in discourse_docker it sets permissions up there.

This is off beaten path you will need to experiment.

Topic		Replies	Views
Permissions for uploads folder? Installation	16	64	August 12, 2024
Where to Upload a File Support	7	4365	September 25, 2023
Centminmod + discourse Installation	3	826	August 25, 2022
Installing docker-discourse folder in /var/discourse Installation	7	1271	February 27, 2019
Custom discourse with limited features Dev	7	1031	July 1, 2021

Minimum (Hardened) File Permissions

Related Topics