File permissions for Rails app - how much can I lock it down


#1

I want to lock down my site as much as possible and would like to set
the file permissions as restrictively as possible.

Is there any reason that any file used by my app but not in the /public
directory needs or should have Read, Write, or eXecute for Public
permissions?

Thanks,
Bill


#2

If you are running mongrel then all of your apps code outside of
public can be locked down to just the user that mongrel runs as.

-Ezra

On Mar 26, 2007, at 9:59 AM, Bill W. wrote:

– Ezra Z.
– Lead Rails Evangelist
– removed_email_address@domain.invalid
– Engine Y., Serious Rails Hosting
– (866) 518-YARD (9273)


#3

Hi Ezra,

Ezra Z. wrote:

If you are running mongrel then all of your apps code outside of
public can be locked down to just the user that mongrel runs as.

Thanks much for that info. Does that change when I stop / start
mongrel?
Like its pid? Or is it a constant? In any event, I assume that mongrel
is
at least part of the Group, so I can get started on changing all the
Public
permissions anyway. Thanks!

Best regards,
Bill


#4

Hi Russell,

Exactly the kind of thing I imagined myself doing, and why I asked here
before I dug myself into a hole :wink: Thanks.

Bill
----- Original Message -----
From: Russell N.
To: removed_email_address@domain.invalid
Sent: Tuesday, March 27, 2007 10:51 AM
Subject: [Rails] Re: File permissions for Rails app - how much can I
lock it down?

Wouldn’t you want log to be an exception? I just this weekend locked
my username out of a logfile created by my app and had to read it as
root. Heh.

RSL

On 3/26/07, Bill W. removed_email_address@domain.invalid wrote:

Hi Ezra,

Ezra Z. wrote:

> If you are running mongrel then all of your apps code outside of
> public can be locked down to just the user that mongrel runs as.

Thanks much for that info.  Does that change when I stop / start 

mongrel?
Like its pid? Or is it a constant? In any event, I assume that
mongrel is
at least part of the Group, so I can get started on changing all the
Public
permissions anyway. Thanks!

Best regards,
Bill

#5

Wouldn’t you want log to be an exception? I just this weekend locked my
username out of a logfile created by my app and had to read it as root.
Heh.

RSL