Is there a recommended set of permissions for files and folders in PrivateBin? The FAQ didn't mention anything about it.
The important thing is basically to just make the paths inaccessible for web users.
As for file permissions:
data dir may be writable (but I am not entirely sure, whether the salt or such stuff are also saved in the database, if one is configured) by PrivateBincfg folder must be writable by PrivateBin, too (otherwise I'd recommend it to be read-only)data and cfg dir may not be readable by other users on the systemRugk is right. For completeness: The data dir needs always be writeable to the PHP process. Everything else needs to be read-only, with the one exception of the cfg directory for the upgrade to 1.1.1. Once you see that all config files were turned from ini to php files, you can make it read-only again.
Depending on your setup, the PHP process may run under a different user then the web server. Here are a few common setup scenarios:
The permissions need to look like this:
Note that even with a database setup, only the pastes are stored in the database. The server salt and the traffic limiter key-value store are always stored in the data dir.
I'm on version 1.1.1 at the moment with an apache set up.
I set the owner to www-data
Set all directories to 0550 except the data which I set to 0750
I set all files to 0640
I think I set everything up properly now.
Thanks for answering my question
Great, but wait… this is very suitable for getting into the official documentation/setup process or FAQ in the wiki…
So why not put it there…
For the FAQ, yey or nay? (basically copied elridos comment)
What are the recommended file and folder permissions for Privatebin?
Depending on your setup, the PHP process may run under a different user then the web server. Here are a few common setup scenarios:
-"Classic" Apache web server with mod_php - In this case PHP scripts are run as child-processes of the apache server and as the same user as the apache server. Since there is only one user in this scenario that needs access, one could go with just owner level permissions (0600 instead of 0640 for example).
-Any webserver, PHP runs as (fast)cgi or PHP-FPM (fast process manager) process - here the webserver and PHP may run in separate users. This is very common on shared hosters, where each customers PHP scripts are run in their own user, so that they can't read other customers files, etc. For this setup to work, the owner needs to be set to the same as the php process (usually not something that you can change on a share hoster) and the group needs to be set to a group the web servers user is in.
The permissions need to look like this:
directories: 0550 (read-only for owner and group, not accessible for others)
data directory: 0750 (writeable for owner, read-only for group, not accessible for others)
files: 0640 (writeable for owner, read-only for group, not accessible for others), created files get these permissions automatically
Maybe adding a script for setting this up easily?
#!/bin/bash
pbpath='/var/www/privatebin'
pbdata='/var/www/privatebin/data'
htuser='www-data'
htgroup='www-data'
rootuser='root'
printf "chmod Files and Directories\n"
find ${pbpath}/ -type f -print0 | xargs -0 chmod 0640
find ${pbpath}/ -type d -print0 | xargs -0 chmod 0550
find ${pbdata}/ -type f -print0 | xargs -0 chmod 0640
find ${pbdata}/ -type d -print0 | xargs -0 chmod 0750
printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${pbpath}/
I just added the information and script to the FAQ.
https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin
Ah, thanks. That looks very good. I just linked it from the installation manual.
Most helpful comment
For the FAQ, yey or nay? (basically copied elridos comment)
Maybe adding a script for setting this up easily?