File and folder permissions and htaccess+DB user privleges?

SuiteCRM Forum - English Language Installation & Upgrade Help
1

Hello everyone. :lol:

  1. What is the recommended settings for file and folder permissions and htccess to harden the server from a security standpoint?
    [li]Also what is the recommended bare minimum database user’s privileges after running the installation?
    (Having the user on full privileges is in general dangerous and a should be avoided.) [/li]
    [/ol]
    We are about to run a installation of suiteCRM on our servers and are trying to prep the upload before installing it so it would be apprecaited to know more about this…

Thanks!

2

Hi

about the Linux permissions, I would just remove the “everyone” permissions, they shouldn’t be necessary. so use 770 instead of 775, and 750 instead of 755. Make sure your file ownerships will use the “user” or “group” privileges from those codes.

About the database, I never tried hardening database permissions for SuiteCRM. I am not sure how much you can remove. SuiteCRM will need to read/write data, but also to add new tables and change columns on existing tables. Remember this is an app that writes itself, you change things in Studio and these changes will affect database structure, not just database data.

I suppose you can use tighter restrictions, if you are willing to exclude usage of Studio and Quick Repairs and Rebuilds (in production server, I don’t suppose you will want to do that in development). Or you can give permissions only temporarily for these operations.

3

Thank you for your help and your reply pgr!

So in regards of hardening the DB user, would this sufffice do you think?
Select, insert, update, Create, Alter, Drop, Delete.

For the file and folder, do you apply that too all files and folders then?

Thank you! :cheer:

4

What does that leave out?

The only way to find out is to try it, remember what I said above, I never tried this.

About Linux permissions (an issue I am more familiar with), I am thinking in terms of the basic recommended permissions:

  sudo chown -R www-data:www-data .
  sudo chmod -R 755 .
  sudo chmod -R 775 cache custom modules themes data upload
  sudo chmod 775 config_override.php 2>/dev/null

(replacing www-data for whatever your web server user is called).

These are the permissions where I would harden by dropping the last “5” from each of those numbers.

5

Thank you for your valuble help.

What does that leave out?

So that is how it would look like.

6

Hmm, ok. I know the installer creates indexes, sometimes also the upgraders. But probably not during normal every day execution.

I don’t know about “lock tables”, I guess you can just search the code to see if it’s used.

Please come back here and tell us about your experience, after you’ve deployed. Thanks!

1 Like
7

Alright, thank you very much for your appreciated help! :cheer: