File permissions for Rails app - how much can I lock it down

wpwood · March 26, 2007, 7:00pm

I want to lock down my site as much as possible and would like to set
the file permissions as restrictively as possible.

Is there any reason that any file used by my app but not in the /public
directory needs or should have Read, Write, or eXecute for Public
permissions?

Thanks,
Bill

wpwood · March 26, 2007, 11:39pm

If you are running mongrel then all of your apps code outside of
public can be locked down to just the user that mongrel runs as.

-Ezra

On Mar 26, 2007, at 9:59 AM, Bill W. wrote:

– Ezra Z.
– Lead Rails Evangelist
– [email protected]
– Engine Y., Serious Rails Hosting
– (866) 518-YARD (9273)

wpwood · March 27, 2007, 12:12am

Hi Ezra,

Ezra Z. wrote:

If you are running mongrel then all of your apps code outside of
public can be locked down to just the user that mongrel runs as.

Thanks much for that info. Does that change when I stop / start
mongrel?
Like its pid? Or is it a constant? In any event, I assume that mongrel
is
at least part of the Group, so I can get started on changing all the
Public
permissions anyway. Thanks!

Best regards,
Bill

wpwood · March 27, 2007, 6:35pm

Hi Russell,

Exactly the kind of thing I imagined myself doing, and why I asked here
before I dug myself into a hole Thanks.

Bill
----- Original Message -----
From: Russell N.
To: [email protected]
Sent: Tuesday, March 27, 2007 10:51 AM
Subject: [Rails] Re: File permissions for Rails app - how much can I
lock it down?

Wouldn’t you want log to be an exception? I just this weekend locked
my username out of a logfile created by my app and had to read it as
root. Heh.

RSL

On 3/26/07, Bill W. [email protected] wrote:

Hi Ezra,

Ezra Z. wrote:

> If you are running mongrel then all of your apps code outside of
> public can be locked down to just the user that mongrel runs as.

Thanks much for that info.  Does that change when I stop / start

mongrel?
Like its pid? Or is it a constant? In any event, I assume that
mongrel is
at least part of the Group, so I can get started on changing all the
Public
permissions anyway. Thanks!

Best regards,
Bill

wpwood · March 27, 2007, 5:54pm

Wouldn’t you want log to be an exception? I just this weekend locked my
username out of a logfile created by my app and had to read it as root.
Heh.

RSL