Do I need to reinstall Flarum if installed via root / super user?

snarfel

So I followed this guide which doesn't really provide much commentary on running Composer as root so I ended up running as root for expediency:

https://www.howtoforge.com/tutorial/ubuntu-flarum/

However in the process of getting some extensions installed, I figured I'd read up on it more, and it seems like the general advice is to delete flarum going by this laravel Q&A as running composer as root to install flarum set privileges to things they shouldn't be? My forum works fine, I don't have any issues, I'm just worried about security. So it's not just a runtime risk when you install w/ root/super user? My directory flarum/ is a security risk, even if I don't use root/sudo to install extensions?:

https://stackoverflow.com/questions/43123427/sudo-composer-install-vs-composer-install/43123627

Do I need to rm /var/www/html/flarum and run composer create-project flarum/flarum . --stability=beta w/o super user? My forum has users/activity I'd rather not delete/erase if possible.

I'm asking as currently running composer to install extensions w/o root/sudo gives me:

./composer.json is not writable.

Hopefully I just need to chmod .josn and one or two other files rather than sql dump/backup, and go through the fun of reinstalling, etc flarum?

askvortsov

In this case, you should just recursively chown your flarum directory to the users you're using, ensuring that user that your web server process is running under has access to the storage and assets directories (and possibly others, I'd check the installation docs)

snarfel

askvortsov

Thanks for the quick approval/reply! 😃

So ps -ef | egrep '(httpd|apache2|apache)' | grep -vwhoami| grep -v root | head -n1 | awk '{print $1}'

outputs www-data. So just to confirm so I don't hose things, I'd want to run chown -hR www-data /var/www/html/flarum/ ?

luceos

There's no issue with having files be owned by root, because no other user has permission to modify them in usual scenarios. However some files and directories need to be owned by the web server user (www-data in most cases); these are:

public/assets completely, all existing files as well.
. the flarum root directory in case you haven't installed flarum yet. If you have, you can ignore that.
storage completely, all files and directories contained.

However when you want to run composer commands you still need to run those as sudo.

Better would probably be to use your own user, instead of root. The above permissions for www-data are still the same.

PS as a side note on the "security risk". What is risky is making all files owned by root and running the web process as root as well to fix the permission issue caused by that. Because the webserver will then execute scripts as root and root can do anything. With my suggestions above you will still run the webserver as the default user (www-data) and files/directories are owned by root, making them inaccessible to others.

askvortsov

Why -h, is your install symlinked?

You might also want to chown to the www-data users group, as in `chown - R www-data:www-data PATH_TO_DIR