Locking down permissions on a RoR project

I am on a shared server (DreamHost). My RoR project contains
confidential information in the structure of its code, its logs, and of
course its mysql database.

W are the minimum chmod permissions to set so that the app is still
served correctly by Apache, but otherwise grants minimum world access?

Most just leave it at “chmod -R 755 rorfolder” but that’s a bit too
open for my taste. Do I have to have all the code be o+r?

Sai E. wrote:

I am on a shared server (DreamHost). My RoR project contains
confidential information in the structure of its code, its logs, and of
course its mysql database.

W are the minimum chmod permissions to set so that the app is still
served correctly by Apache, but otherwise grants minimum world access?

Most just leave it at “chmod -R 755 rorfolder” but that’s a bit too
open for my taste. Do I have to have all the code be o+r?

I’m assuming the user owns the directory so you have to set 701 on the
root and public directory so apache can access them as other. I’m
assuming the dispatch file is being suexeced so that could be 700. All
other directories should be 700 and all other files should be 600.

Of course I could be way off base also.

On Dec 12, 8:14 pm, Michael G. [email protected]
wrote:

I’m assuming the user owns the directory

User owns the directory except ~/logs which is owned by root and used
for Apache logs.

I’m assuming the dispatch file is being suexeced so that could be 700.

Wrong on that count. No su access at all; dispatch is executed as user.

  • Sai

Sai E. wrote:

On Dec 12, 8:14 pm, Michael G. [email protected]
wrote:

I’m assuming the user owns the directory

User owns the directory except ~/logs which is owned by root and used
for Apache logs.

I’m assuming the dispatch file is being suexeced so that could be 700.

Wrong on that count. No su access at all; dispatch is executed as user.

  • Sai

Apache would normally run dispatch as the user used to run apache. If
it’s running dispatch with the user account it must be suexeced