1

In my laravel project I have set up file and directory permissions with myself as the owner following the answer in the post How to set up file permissions for Laravel? as follows:

sudo find . -type f -exec chmod 664 {} \;   
sudo find . -type d -exec chmod 775 {} \;

And the storage and cache folder writable as follows:

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

In this application I've also use laravel passport which generates the passpot keys inside the storage folder and therefore the permission for the keys are as follows:

-rwxrwxr-- 1 sammy www-data 3322 Mar 11 14:32 oauth-private.key
-rwxrwxr-- 1 sammy www-data  812 Mar 11 14:32 oauth-public.key

That means everyone can read those files. would that be secure?

adam78
  • 9,668
  • 24
  • 96
  • 207

1 Answers1

0

The private key should only be readable by the user or group that runs the web server

run following commands to fix it:

sudo chmod 640 storage/oauth-private.key
sudo chgrp www-data storage/oauth-private.key

and for storage you can set 770 permission:

sudo chmod 770 storage
Ali Sharifi Neyestani
  • 4,162
  • 1
  • 14
  • 22
  • isnt `rw-rw----` (660) adequate? – adam78 Mar 11 '23 at 20:20
  • The private key should only be readable by the user or group that runs the web server. In your case, the web server is running under the www-data group, so only that group should have read and write permissions on the private key. – Ali Sharifi Neyestani Mar 12 '23 at 08:36
  • It's also a good idea to make sure that the storage directory itself is not readable by everyone, as it may contain sensitive information such as logs or user uploads. – Ali Sharifi Neyestani Mar 12 '23 at 08:37
  • what should the file permission be for the .env file? – adam78 Mar 14 '23 at 14:05
  • The .env file in a Laravel project contains sensitive information such as database credentials, API keys, and other confidential details. Therefore, it is recommended to set the file permissions of the .env file to 600 to make it readable and writable only by the owner of the file – Ali Sharifi Neyestani Mar 14 '23 at 23:45