What is the best File Permission and How to Set It on Cpanel.

KARAM_SIDHU

I installed flarum v1.8.1 using softacolous scripts via Cpanel and i'm running it on a litespeed shared hosting and the installation is in my subdirectory [Domain.com/forum]. Can please guide me on what is the best file permission to set in order to secure it and How to set it on cpanel such as which folder to set the permission?

luceos

Are you running into any issues?

The documentation had information on permissions here https://docs.flarum.org/install#folder-ownership

KARAM_SIDHU

luceos Hi, No any issues so far. Just that, I need to secure my flarum which is installed via softacolous over cpanel. Else than putting up some restrictions at the network level [cloudflare] and web server firewall, I would also like to review and tighten the file permissions specifically for my flarum files to avoid any backdoor attacks on my flarum. I had checked on the documentation previously and just now again, but, it seems that i need a peer to peer guidance on the proper file permissions to be set via the cpanel file manager. Can kindly assist me in this?

Additional Info: My Flarum is installed in a subdirectory and there are other sites in the other subdirectories as well. E.g: My Blog is at mydomain.com/blog and My this flarum is at mydomain.com/forum .

luceos

Normally you don't need to do anything related to file permissions, but if you really need to make sure to follow the path customizing documentation (https://docs.flarum.org/install/#customizing-paths) and then set directory permissions so that storage and public are writeable by the website user. After installation the root installation directory no longer needs writeable.

KARAM_SIDHU

luceos By leaving the file permission untouched [Default as it is - since installed via sotacolous], Does it impose any risk of hack?

On regards to the path customization, My default after installation url was bundled with/public and i've managed to get the /public removed from url and all changes were done accordingly by placing the files correctly and edit the .htaccess , index.php and site.php and it seem to be no issues on my flarum.

My greatest concern now is on the file permission part.

clarkwinkelmann

KARAM_SIDHU file permissions are rarely the biggest security issue.

Ideally you would run each website on its own process using a different shell user, and make sure the files for each website are owned by that user, and all files that should never be modified owned by a different user but allow the webserver user to still read them. But I am not aware of any hosting system that uses that approach, it's easier to contenerize the sites if you want that level of security.

If your host only has root and webserver user, you will not get much added benefit by tweaking file permissions because if either account gets hacked your server will be compromised.

The only approach that I think would make sense is to have "3" users. Have root but don't use it for anything web related, have a shell user that runs Composer commands and owns all Flarum skeleton and dependency files, and finally a webserver/PHP user that the webserver runs as, that's also used for any Cron or queue and owns the storage and assets folders. This would ensure that if a malicious PHP file somehow gets executed, the script should not be able to install a backdoor in Flarum itself. Unfortunately since the PHP user requires access to the Flarum configuration file, it will still be able to steal any data from MySQL, redis, etc. Even if the PHP user cannot read anything else it would still be very bad if it got hacked.

If the hacker only cares of turning your server into a botnet or crypto miner it doesn't matter much either, it would benefit if file permissions allow to compromise the Cron or Queue configuration so it can run without timeout.

This is all the theory and I'm not even sure it holds for Flarum because since views and formatter PHP files get pre-compiled and stored in storage folder, a malicious actor with the minimal permissions could still place their malicious code in those files to achieve what I described above.

If you are on a shared hosting, you probably won't have much flexibility and should just follow your host recommendations.

So in short, I'd just say make sure your vendor folder and config files are not exposed publicly to reduce the risk of a dangerous file being used for remote code execution, that your database contains only Flarum (no other prefixed tables in a single database) and the database user is only used for that database, and that the database cannot be accessed remotely. And keep Flarum and extensions up to date. This will cover most issues.

KARAM_SIDHU

clarkwinkelmann Hi There, First thing first, I would like to thank you for all the effort and work that you had put into composing and explaining in-depth and comprehensively. I highly appreciate that.

Basically, I've double checked on all the highlighted matters in your reply above + whatever is there in the flarum's documentation and created a checklist and i found that, my flarum and the environment where it is installed meets around 65% of the stated [Shared Hosting Environment] which is way sufficient for now, i guess.

Security had always been a priority, I would like to point out here specifically on regards to remote access. One of my practices is that, I had always been against of making use of remote access 😅 [I even totally remove FTP/SFTP records out of the Dns Zones] and all activities are conducted directly from the server and its internally assigned [such as cPanel - 2FA Enabled] over dedicated devices and secured network. My main concern was on the other layers of security mainly for my flarum script due to the ability to install application layer security isn't there at this moment and it is depending purely on the network layer security [Cloudflare] and Server layer Security only. However, The explanation had justified all the requireds.

Thanks once again man.