Rails core - Jun 2009 - File Permissions

I am running rails on mongrel with RHEL5 and I have a curious issue
with the file permissions set when I upload a file and store it to my
uploads storage folder. I have the uploads storate folder set to
drwx------ owned by my user who is running mongrel. When the files get
written they come out -rw-rw-rw. I am aware the file.write is a ruby
module (which is what I am using to write) but I can''t seem to find
anywhere how it ends up -rw-rw-rw and not just the default folder
permission or umask ... I even set my user''s umask to 077 in /etc/
bashrc before I started mongrel, and still, after an upload -rw-rw-
rw ... It could be a system issue, but I figured I''d ask. I am also
aware that I can follow my file.write up with a umask or chmod, but I
thought to check with the community to see if there was a place where
I can just default all file writing to -rw------ ... it seems safest
to default to this, especially in a shared server environment.

I guess its a little out of core scope here, nobody responded so I did
more guesswork and figured out a few things. If anyone could validate
them or suggest any thoughts I''d appreciate it.

1.) Rails seems to have nothing to do with the permissions, maye the
ruby module somehow defaults itself?
2.) It seems that whatever you do with linux file permissions for your
user, if they can write, the file shows up as -rw-rw-rw
3.) You can write this single line before opening or writing to file:
File.umask(077)
This seems to set the umask for the rest of the file manipulations.
4.) I haven''t tested it, but I would suspect if you ran this line in
your enviornment.rb it would probably stick and the permissions would
stay that way until you change them?

I suspect that the permissions default rw-rw-rw as they do because
usually there is some sort of web server, apache, IIS, etc that should
be used to render the files, and often that web server isn''t running
in the same process or user as mongrel/rails. I think this is
sensible, but when data is sensitive and you have more then one user
for the server you don''t want to give the world read permissions to
the apache, the world, etc. Maybe a lot of developers don''t want to
think about users and permissions, but for security standards and
awareness I think that this should be at least mentioned in the
configuration.... especially on a shared hosting account, world
writable, scary!



-Josh

On Jun 9, 7:47 pm, Josh <JoshBWh...@gmail.com>
wrote:
> I am running rails on mongrel with RHEL5 and I have a curious issue
> with the file permissions set when I upload a file and store it to my
> uploads storage folder. I have the uploads storate folder set to
> drwx------ owned by my user who is running mongrel. When the files get
> written they come out -rw-rw-rw. I am aware the file.write is a ruby
> module (which is what I am using to write) but I can''t seem to
find
> anywhere how it ends up -rw-rw-rw and not just the default folder
> permission or umask ... I even set my user''s umask to 077 in /etc/
> bashrc before I started mongrel, and still, after an upload -rw-rw-
> rw ... It could be a system issue, but I figured I''d ask. I am
also
> aware that I can follow my file.write up with a umask or chmod, but I
> thought to check with the community to see if there was a place where
> I can just default all file writing to -rw------ ... it seems safest
> to default to this, especially in a shared server environment.

> I suspect that the permissions default rw-rw-rw as they do because
> usually there is some sort of web server, apache, IIS, etc that should
> be used to render the files, and often that web server isn''t
running
> in the same process or user as mongrel/rails. I think this is
> sensible, but when data is sensitive and you have more then one user
> for the server you don''t want to give the world read permissions
to
> the apache, the world, etc. Maybe a lot of developers don''t want
to
> think about users and permissions, but for security standards and
> awareness I think that this should be at least mentioned in the
> configuration.... especially on a shared hosting account, world
> writable, scary!
There''s nothing much about file permissions in rails itself.
Generally you can solve most of this stuff with things like sticky
permissions on directories or calling umask / chmod yourself on the
files.  Another option is to use Tempfile which defaults to 0600.

If you''re using a plugin for your upload management, perhaps contact
the authors and ask if there''s an option for permissions.


-- 
Cheers

Koz