Laravel framework file permission - Security

Published 4 years ago by jdhrivas

I've been developing locally for a while and now that I'm ready to move to production I realized I have modified files/folders permissions in several places. Is there a function I can run to make sure my app has the correct file/folder permission? My main concern is security or leaving folders vulnerable and open to the world.

Any suggestions are welcome.

Best Answer (As Selected By jdhrivas)
bashy

Most folders should be normal "755" and files, "644"

Laravel requires some folders to be writable for the web server user. You can use these command on *nix based OSs.

Using ACL

// nginx = web server user
// systemuser = your local user which you use to login via ssh
sudo setfacl -Rdm u:nginx:rwx,u:systemuser:rwx storage
sudo setfacl -Rm u:nginx:rwx,u:systemuser:rwx storage

If you don't have ACL, you can use these but they're not so great;

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache
bashy
bashy
4 years ago (1,001,970 XP)

The only folder front facing should be everything in /public

Not sure why you would of changed permissions of folders/files apart from app/storage which needs write permissions for cache/session (if you have that).

jdhrivas

Great, so let me rephrase what you said. All the folders/files should be read-only expect for public folder and app/storage. Public and app/storage will have chmod 777, everything else in the framework is chmod 644, is that correct?

Thanks!

bashy
bashy
4 years ago (1,001,970 XP)

Most folders should be normal "755" and files, "644"

Laravel requires some folders to be writable for the web server user. You can use these command on *nix based OSs.

Using ACL

// nginx = web server user
// systemuser = your local user which you use to login via ssh
sudo setfacl -Rdm u:nginx:rwx,u:systemuser:rwx storage
sudo setfacl -Rm u:nginx:rwx,u:systemuser:rwx storage

If you don't have ACL, you can use these but they're not so great;

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache
jdhrivas

Bashy, thank you very much for your help! This is exactly what I was looking for.

bashy
bashy
4 years ago (1,001,970 XP)

No problem, also if you have any upload folders or folders that the webserver user needs to write to, 777 them or 755 with owner as webserver user :)

imatsu

find {laravel-folder}/ -type d -exec chmod 755 {} ;

find {laravel-folder}/ -type d -exec chmod ug+s {} ;

find {laravel-folder}/ -type f -exec chmod 644 {} ;

chown -R {username}:www-data {laravel-folder}

chmod -R 777 {laravel-folder}/storage

chmod -R 777 {laravel-folder}/bootstrap/cache/

and now you can forget about it

bashy
bashy
2 years ago (1,001,970 XP)

@imatsu No no no no. Why 777?

This is better

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

Shouldn't make everything read/writable for web server user...

djap96

777 permission is the only permission configuration that works for me

bashy
bashy
2 years ago (1,001,970 XP)

@djap96 Then you're allowing other users on the system to write to storage folders, including cache, session and anything else you put in storage.

bgies
bgies
2 years ago (1,240 XP)

Just to state the obvious for anyone viewing this discussion.... if you give any of your folders 777 permissions, you are allowing ANYONE to read, write and execute any file in that directory.... what this means is you have given ANYONE (any hacker or malicious person in the entire world) permission to upload ANY file, virus or any other file, and THEN execute that file...

IF YOU ARE SETTING YOUR FOLDER PERMISSIONS TO 777 YOU HAVE OPENED YOUR SERVER TO ANYONE THAT CAN FIND THAT DIRECTORY. Clear enough??? :)

What bashy says above is absolutely correct, although not totally complete.

The NORMAL way to set permissions is to have your files owned by the webserver:

    sudo chown -R www-data:www-data /path/to/your/root/directory

if you do that, the webserver owns all the files, and is also the group, and you will have some problems uploading files or working with files via FTP, because your FTP client will be logged in as you, not your webserver, so add your user to the webserver user group:

  sudo usermod -a -G www-data ubuntu

Of course, this assumes your webserver is running as www-data (the Homestead default), and your user is ubuntu (it's vagrant if you are using Homestead.

Then you set all your directories to 755 and your files to 644... SET file permissions

sudo find /path/to/your/root/directory -type f -exec chmod 644 {} \;    
SET directory permissions
sudo find /path/to/your/root/directory -type d -exec chmod 755 {} \;

I prefer to own all the directories and files (it makes working with everything much easier), so I do:

sudo chown -R www-data:www-data /path/to/your/root/directory
Then I give both myself and the webserver permissions:
sudo find /path/to/your/root/directory -type f -exec chmod 664 {} \;    
sudo find /path/to/your/root/directory -type d -exec chmod 775 {} \;

Whichever way you set it up, then you need to give read and write permissions to the webserver for storage, cache and any other directories the webserver needs to upload or write too (depending on your situation), so run the commands from bashy above :

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

Now, you're secure and your website works, AND you can work with the files fairly easily

MladenJanjetovic

@bgies - can you clarify something please?

When you said: IF YOU ARE SETTING YOUR FOLDER PERMISSIONS TO 777 YOU HAVE OPENED YOUR SERVER TO ANYONE THAT CAN FIND THAT DIRECTORY.

What do you mean by this "ANYONE THAT CAN FIND THAT DIRECTORY"? How can one find my directory if I have i.e. vps or dedicated server? Or this is just for shared hostings?

nate.a.johnson
MladenJanjetovic

@nate.a.johnson - So I guess that's it. If you share hosting with someone else it's bad idea, but if you have your own server it doesn't matter, because if you have malicious user in your shell I guess it's bigger server security problem.

nate.a.johnson

It's never safe to make things world writeable and world executable. I'd try to avoid that unless absolutely necessary. For example, even if you are on a private server, if you allow uploads to a folder that is 777, a hacker could upload a script, execute it and really do just about anything they wanted to do.

Just be safe when setting up your permissions.

MladenJanjetovic

Yes, upload directory is something you need to be very careful.

Please sign in or create an account to participate in this conversation.