NodeBB in Production: Linux Files Permissions, the right way

General Discussion
  • I asked that question briefly here but then I figured maybe the community can hAlp:

    What’s the right way to setup permissions, say you’re on linux (ubuntu12), running nginx 1.4 with redis

    i’ve got:

    drwxr-xr-x 5 www-data www-data 4096 Feb 20 17:50
    drwxr-xr-x 2 www-data www-data 4096 Feb 20 17:49

    where www-data is the nginx user, and a my current user is admin which can sudo btw.

    To setup NodeBB in, I will need to sudo to do anything, from git clone to running any command in there, should admin own that directory? or is it just better to place the NodeBB dir in admin’s home?

    What is your conventional way of doing that in production? I still want to be able to setup supervisor to start on boot too, so calling supervisor shouldn't need sudo

  • woops. approved... I need to find a better commenting system for WP (👻 ooh, wonder what that's going to be)

  • NodeBB, when listening on an unprivileged port, does not require a privileged user, so I just run it under a regular unix account. As long as that account has write access to /public/uploads (and wherever else it needs to write things), it should be fine.

    NodeBB doesn't need to be owned by the nginx user.

  • gotcha! I end up doing this, seems to work, but not sure how dangerous that is

    sudo adduser admin www-data
    sudo chown -R :www-data /var/www
    sudo chmod -R g+rw /var/www
  • Always best to follow the policy of running apps with the least amount of privileges possible. Then in the event of an arbitrary script execution exploit, your system is ideally protected.

  • @julian

    How and how often does this happen? 'arbitrary script execution'
    Any stats?

  • @v4 This is a risk with any application, and NodeBB is no exception. Think "zero-day exploits" and applications which accidentally let someone "break out" of the environment. It's obviously something we patch and code against, but finding them is often another matter 🙂

    We maintain an email specifically for handling these issues: [email protected]. If you've located an exploit vector, email use privately there, and we'll get it fixed up!

Suggested Topics