我应该如何为 Rails 应用设置权限? [英] How should I set up permission for Rails app?
问题描述
目前我将 0777 设置为所有目录和文件.
但是,我害怕被其他人访问.
日志文件和所有控制器、模型、视图和配置文件都设置为 0777
Currently I set 0777 to all the directories and files.
However, I'm scared of being accessed from others.
Log files and all the controllers, models, views, and the files in config are set to 0777
一般来说,它们应该如何设置?
In general, how they are supposed to be set?
- 日志文件目录及其文件
- 控制器文件
- 模型文件
- 查看文件
- config 目录下的文件
推荐答案
你绝对不应该使用 0777 作为你的文件权限.这更容易让您暴露在漏洞面前.
You should definitely not use 0777 for your file permissions. This more easily exposes you to vulnerabilities.
一般来说,遵循这个原则:
In general, follow this principle:
对于文件夹,使用
0755,相当于rwxr-xr-x.执行权限允许查看文件夹内容.
For folders, use
0755, which equates torwxr-xr-x. The execute permission allows folder contents to be viewed.
find/your/rails/dir -type d -exec chmod 755 {} +
find /your/rails/dir -type d -exec chmod 755 {} +
对于已执行的脚本,也使用 0755.这允许任何人执行脚本,但不能对其进行更改(写入).
For executed scripts, also use 0755. This allows anyone to execute the scripts, but not make changes (write) to them.
对于所有其他文件,使用 0644 等同于 rw-r--r--.这使得每个人都可以读取文件,所有者可以写入文件,而没有人可以执行文件.这可以防止上传和执行恶意脚本等.
For all other files, use 0644 which equates to rw-r--r--. This allows everyone to read the file, the owner to write to the file, and no one to execute the file. This prevents, among other things, malicious scripts from being uploaded and executed.
find/your/rails/dir -type f -exec chmod 644 {} +
find /your/rails/dir -type f -exec chmod 644 {} +
或者,您可以考虑对包含密码的文件进行更多限制,尤其是 config/database.yml 或任何包含邮件服务(mandrill、sendgrid、邮戳)等密码的文件,Amazon S3 存储桶或 Redis 连接.对于这些文件,您可以使用 0600.
Optionally, files containing passwords you could consider more restrictive permissions on, especially config/database.yml or any files containing passwords for things like mail services (mandrill, sendgrid, postmark), Amazon S3 buckets, or Redis connections. For these files you might use 0600.
在生产环境中,您的 rails 应用程序应该以拥有所有这些文件的同一用户(不是 root)运行.使用 passenger, unicorn,或者作为本地用户运行一个 web 服务器,比如 mongrel 或 webrick,监听一个端口,比如 localhost:3000,并让 Apache 或 Nginx 反向localhost:3000 的代理.
In a production environment, your rails app should be running as the same user (not root) that owns all of these files. This is accomplished most easily by using passenger, unicorn, or running a web server such as mongrel or webrick as the local user listening on a port such as localhost:3000, and having Apache or Nginx reverse proxy to localhost:3000.
这篇关于我应该如何为 Rails 应用设置权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
