I am running rails on mongrel with RHEL5 and I have a curious issue with the file permissions set when I upload a file and store it to my uploads storage folder. I have the uploads storate folder set to drwx------ owned by my user who is running mongrel. When the files get written they come out -rw-rw-rw. I am aware the file.write is a ruby module (which is what I am using to write) but I can't seem to find anywhere how it ends up -rw-rw-rw and not just the default folder permission or umask ... I even set my user's umask to 077 in /etc/ bashrc before I started mongrel, and still, after an upload -rw-rw- rw ... It could be a system issue, but I figured I'd ask. I am also aware that I can follow my file.write up with a umask or chmod, but I thought to check with the community to see if there was a place where I can just default all file writing to -rw------ ... it seems safest to default to this, especially in a shared server environment.
I guess its a little out of core scope here, nobody responded so I did more guesswork and figured out a few things. If anyone could validate them or suggest any thoughts I'd appreciate it.
1.) Rails seems to have nothing to do with the permissions, maye the ruby module somehow defaults itself? 2.) It seems that whatever you do with linux file permissions for your user, if they can write, the file shows up as -rw-rw-rw 3.) You can write this single line before opening or writing to file: File.umask(077) This seems to set the umask for the rest of the file manipulations. 4.) I haven't tested it, but I would suspect if you ran this line in your enviornment.rb it would probably stick and the permissions would stay that way until you change them?
I suspect that the permissions default rw-rw-rw as they do because usually there is some sort of web server, apache, IIS, etc that should be used to render the files, and often that web server isn't running in the same process or user as mongrel/rails. I think this is sensible, but when data is sensitive and you have more then one user for the server you don't want to give the world read permissions to the apache, the world, etc. Maybe a lot of developers don't want to think about users and permissions, but for security standards and awareness I think that this should be at least mentioned in the configuration.... especially on a shared hosting account, world writable, scary!
-Josh
I suspect that the permissions default rw-rw-rw as they do because usually there is some sort of web server, apache, IIS, etc that should be used to render the files, and often that web server isn't running in the same process or user as mongrel/rails. I think this is sensible, but when data is sensitive and you have more then one user for the server you don't want to give the world read permissions to the apache, the world, etc. Maybe a lot of developers don't want to think about users and permissions, but for security standards and awareness I think that this should be at least mentioned in the configuration.... especially on a shared hosting account, world writable, scary!
There's nothing much about file permissions in rails itself. Generally you can solve most of this stuff with things like sticky permissions on directories or calling umask / chmod yourself on the files. Another option is to use Tempfile which defaults to 0600.
If you're using a plugin for your upload management, perhaps contact the authors and ask if there's an option for permissions.
