Feature - File Permissions Script (no due date)

I’ve had several issues with file permissions in my installation. Being a security administrator, I hate to loosen permissions inappropriately. It would be nice to know what the ideal permissions are for an installation to follow least privilege. Ideally, there would be a script to run or copy/paste after a new install or big update.



In principle eramba only needs write access to app/tmp/ and app/webroot/ , for all other directories and files read only should be sufficient.

when updates are pushed by the system, eramba will try to add or remove files, of course apache will need permission to do that, you can temporally grant access and remove it once finished. As for the script, changing permissions on behalf of the administrator with PHP sounds like a no go on our side, building a template script should not be complicated, but every linux does things in different ways, i’ll have thought on it and revert when we complete workflows.



ps. sorry, while writting my post i realised i edited yours…still getting acquainted with this forum!

ps. our install guide was updated:

OK, so I’m looking through the permissions on my installation. It looks like all of the php files are chmod 644, except for the php files in /app/Plugin/DebugKit/ which are all chmod 755. All of the folders appear to be 755.

But given your explanation, I should be able to change everything to 400, except app/tmp/ and app/webroot/, which should be 600. Right? I supposed there’s no harm in having world readable files except for those that have credentials. (e.g. /app/config/settings.php) So most would be 444 or your two examples could be 666.

So (still thinking out loud here) I could clean up my permissions by doing:

chown -R www-data:www-data /var/www/html/eramba_v2/
chmod -R 444 /var/www/html/eramba_v2/
chmod 400 /var/www/html/eramba_v2/app/config/settings.php
chmod 666 /var/www/html/eramba_v2/app/tmp/
chmod 666 /var/www/html/eramba_v2/app/webroot/

Is that about right?