How should I set up permission for Rails app?

Question

Currently I set 0777 to all the directories and files.
However, I'm scared of being accessed from others.
Log files and all the controllers, models, views, and the files in config are set to 0777

In general, how they are supposed to be set?

• Log files directory and its files
• controller files
• model files
• view fies
• the files in config directory

Answer 1

You should definitely not use 0777 for your file permissions. This more easily exposes you to vulnerabilities.

In general, follow this principle:

• For folders, use 0755, which equates to rwxr-xr-x. The execute permission allows folder contents to be viewed.

  find /your/rails/dir -type d -exec chmod 755 {} +

• For executed scripts, also use 0755. This allows anyone to execute the scripts, but not make changes (write) to them.

• For all other files, use 0644 which equates to rw-r--r--. This allows everyone to read the file, the owner to write to the file, and no one to execute the file. This prevents, among other things, malicious scripts from being uploaded and executed.

  find /your/rails/dir -type f -exec chmod 644 {} +

• Optionally, files containing passwords you could consider more restrictive permissions on, especially config/database.yml or any files containing passwords for things like mail services (mandrill, sendgrid, postmark), Amazon S3 buckets, or Redis connections. For these files you might use 0600.

In a production environment, your rails app should be running as the same user (not root) that owns all of these files. This is accomplished most easily by using passenger, unicorn, or running a web server such as mongrel or webrick as the local user listening on a port such as localhost:3000, and having Apache or Nginx reverse proxy to localhost:3000.