Suggestion: Minimal UNIX permissions support. #10451
AphidGit
started this conversation in
Feature Requests & Suggestions
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Librechat is this complicated Typescript application. If it's run as an administrative user (such as root), a security bug or administrator oversight can mess up the whole machine.
It would be very nice to at least restrict permissions somewhat. The usual approach I take is to cast things as a systemd service and run them as an unprivileged user, in this case, I named it librechat. Configure logrotate, a custom /var/log/ directory, a user home, and a logical place to put the application. In this case, I used /var/www/vhosts/librechat.myhostname.com/librechat/ as the application's document root, while /var/www/vhosts/librechat.myhostname.com/httpsdocs would be the nginx document root.
One of the things I usually do with services is to reduce the possibility of things going wrong is to make the files not owned by the user, but by an administrative user, with the librechat user added to group either having POSIX ACL permissions or group read/execute permissions. This prevents e.g. a malicious attack implanting a web shell or at least makes this much more difficult to do.
E.g. the files are owned by lcadmin:librechat, while the server is run as librechat:librechat.
What I'd like is for the help documents to have a list of places where files can be safely written, to make a manual local install by default obey the principle of least permission.
The following I've found through trial and error:
/logs/
/api/logs/
Beta Was this translation helpful? Give feedback.
All reactions