Is using project:permissions in a symfony project safe in a production environment?

Question

As the question states, is this task safe for a production environment? I find the permissions rather permissive, the cache directory is the one i find particularly suspicious. Write and execution permission on a code directory is somewhat suspicious.

Cheers

Answer 1

Write: quite obviously needed to be able to cache data Execute: in case of a directory, it means listing is allowed - i.e. to see if a cached version exists or not

the project:permissions task is safe to use in prod, it is as strict as it can be while still allowing normal usage.
Also keep in mind that the contents of your cache directory cannot be accessed from the outside.

Answer 2

It's fine for a dedicated production environment (like a VPS or dedicated server), but it's probably too permissive if you're on shared hosting - the defaults are world-writeable for the cache and upload folders, and you really only need to give access to the web server account (and possibly the user who can upload updates to the code).

You can make your own task that does the same thing but with tighter permissions:

1. copy the project:permissions task (lib/vendor/symfony/lib/task/project/sfProjectPermissionsTask.class.php) to your lib/task folder
2. rename the file and the class
3. change the declarations on lines 30 and 31 (e.g., 'project' and 'permissions-strict')
4. alter the permissions in the $this->chmod() method calls on lines 46-68. You may have to create a $this->chown() method too if you really want to lock things down.

(You could also extend the sfProjectPermissionsTask class, but since you'd be overriding just about everything, it doesn't really seem worthwhile)