Permission issues on database migration
When running a database migration the user running a pubsweet app need to own the whole app folder. This is causing security issues.
It is a security best practice to run an app with a user other than root and to limit that user scope of actions only to what it needs, that user should only be able to read everything but write only to specific folders like uploads.
But when executing a database migration, a folder is created in the root folder of the application. In order to create that folder the user running pubsweet apps needs to own the whole app folder which completely kills the purpose of running the app as a non-root user.
There are 2 options to fix this:
- Put the migration files in the
/tmp
folder - Put the migration files in a
migration
folder in the root of the app
Then we can limit the permissions to those folders and not everything