Defect #27538
closedRedmine installation documentation incorrectly suggests setting uploaded file permissions to 0755, making them executable for everybody
0%
Description
Official redmine installation documentation at https://www.redmine.org/projects/redmine/wiki/RedmineInstall#Step-8-File-system-permissions tells us to
chmod -R 755 files log tmp public/plugin_assets
to setup correct file system permissions.
However, this leads to all user uploaded files to get 0755 file permissions, which makes them executable (for everybody).
You'd rather should suggest something like
find files log tmp public/plugin_assets -type d -exec chmod 775 {} + find files log tmp public/plugin_assets -type f -exec chmod 664 {} +
instead.
Check and update of documentation is needed before the Redmine Docker image maintainers update their docker-entrypoint.sh accordingly, see https://github.com/docker-library/redmine/issues/94
Thanks for having a look at this!
Updated by Toshi MARUYAMA over 7 years ago
- Status changed from New to Needs feedback
- Priority changed from High to Normal
cas dev wrote:
However, this leads to all user uploaded files to get 0755 file permissions, which makes them executable (for everybody).
Really? I think it depends on umask.
Updated by cas dev over 7 years ago
If we have no files at all when executing the mentioned chmod instruction, indeed it depends on the umask set.
That means, new files created after running that chmod instruction are never affected.
But as human users may change the permissions afterwards using your chmod instruction (e.g. after restoring from a backup), and in the official Redmine Docker Image the docker-entrypoint.sh does that everytime the container starts, I think using the mentioned chmod instruction is dangerous as it affects all existing files also.
Updated by Toshi MARUYAMA over 7 years ago
- Status changed from Needs feedback to Closed
- Resolution set to Fixed
Note: If you have files in these directories (e.g. restore files from backup), make sure these files are not executable.
sudo find files log tmp public/plugin_assets -type f -exec chmod -x {} +