peopleinside Hi, I'm looking into some applications security I mean in my contribution I'm working on check that security are good. What should be folders and file permission in a safer Flarum installed community? Some folders has the standard of 775? I'm reading this permission can be dangerous. https://serverfault.com/questions/312999/is-it-safe-to-chmod-775-664-with-owner-www-datawww-data/313001 https://serverfault.com/questions/144194/is-chmod-775-safe-to-use/144195 For made all Flarum files and folder safer need just to do the command below from the guide? chown -R www-data:www-data flarumfoldername Can be bad if vendor, public, storage folders has 775 permissions?
hvanmegen Assuming that every other website on that server runs under user www-data and group www-data, it is a bit of security risk.. unless your Flarum is the only site on that server, then it doesn't matter.
luceos Some principles that I rely on: Do not grant permissions to these files to any user in case the web user (www-data by default) owns the Flarum files. Not even the www-data user. Because that user already has access to these files as the owner. After that only the following directories/files need to be owned by the web user, you can pretty much chown the other directories back to root if you want extra security. These should always be owned by the web user. public/assets storage the root installation path (not recursively) before installation so that flarum can write the config.php In case you run composer commands (through CI/CD or directly), it's usually best to run them as the web user (www-data) using sudo -u www-data composer <something> but then you also need to widen your permissions to chown the following files/directories to the web user: composer.json and composer.lock vendor Flarum needs no other access. Not all hosting environments might play well with files/directories being chowned to root. Disclaimer: written from the top of my head, let me know if you run into something.
