WARNING: containers/app.yml file is world-readable. You can secure this file by running: chmod o-rwx containers/app.yml

This warning from when rebuilding Discourse. A similar message appeared when rebuilding the mail-receiver: WARNING: containers/mail-receiver.yml file is world-readable. You can secure this file by running: chmod o-rwx containers/mail-receiver.yml.

Is a warning to ignore or act on? Thanks.

What words should it include to make you think that you should do exactly what it recommends?

1 Like

At face value it looks as though you are being sarcastic (and insinuating that it’s obvious I should do what it recommends) but you are usually very polite and helpful so I am not sure.

If it were to say “You must…” rather than “You can…” I’d be happier do what it recommends without checking here.

Also, sometimes I have reported warnings here and been told not to worry about them because, for instance, a decision has been made to continue doing things a certain way despite the warning message (e.g. “You can ignore those warnings”: Warnings: overcommit_memory and Transparent Huge Pages).

I also wonder whether following the recommendation might cause some unintended consequence.

No. This is something that you arguably do. I wanted to know what words to include that would make you do what it said rather than ask if you should.

But in light of your other three topics that are about things you should ignore, my sincere question makes little sense. (Each of those is about output that should be ignored.)

Since you likely have only a root user who can log in, having something that is world writable isn’t a huge deal, so it’s not clear (to me) why someone decided that this was worth anyone’s time.

So I think the answer to my question would be “there would need not to be a bunch of warnings printed that are not, in fact, warnings at all”. Does that seem right?

1 Like

What might help here is if the “why” was explained in the warning. Your file is world readable, if there are other users that have SSH access to this machine, they will be able to steal your database password, chmod it to resolve this.

(It would also avoid confusion if you answered the question and then asked for details (“No, you can ignore it, assuming you’re the only user. What words…”))

4 Likes

Thanks for clarifying this. I wasn’t being sarcastic – I genuinely believed that you are usually polite and helpful, and now believe that you always are :slight_smile: I misunderstood your response and apologise for that.

Yes, I’ve followed the current setup instructions which don’t create a non-root user. I have a feeling that earlier instructions did but can’t remember for sure. I’ll ignore the error.

Some sort of wording that makes it clear that the warning is from or endorsed by the Discourse team, and that it must be followed, would have had the effect you wondered about.

An explanation within the warning/advice would help, as proposed above, since on this occasion it’s not the case that it must always be followed.

Well, thanks, but

Richard is right again. I should have provided an answer.

2 Likes

After upgrade Discourse I’m too have this warning about app.yml and I do it: chmod o-rwx containers/app.yml every works fine.

3 Likes

If you’re following the standard install then the message is pretty erroneous and requires no action.

It doesn’t mean mean that the entire world can read the file, only other users with remote access to the filesystem. It’s safe to ignore.

1 Like

Is this what the new line in the standard install guide is about?

sudo -s
git clone https://github.com/discourse/discourse_docker.git /var/discourse
cd /var/discourse
chmod 700 containers

Basically, yes. Permissions are usually noted as three octal digits, the first is user permissions:

0 – nothing
1 – execute
2 – write
3 (1+2) – execute and write
4 – read
5 – read and execute
6 (2+4) – write and read
7 (1+2+4) – read, write and execute

The second is file group and the third is world.

1 Like

Oh. I hadn’t noticed that. If we really believe that these permissions are now important, we should have discourse-setup do that, or maybe even launcher.

1 Like