AnsweredAssumed Answered

Content Store filesystem Permissions

Question asked by high on Nov 20, 2010
Latest reply on Nov 20, 2010 by high
I am concerned about the default world-readable filesytstem permissions on the contentstore.  I have searched the forums and find nothing on this issue.

I have installed Alfresco Community 3.3g.  It is my first experience with Alfresco.  I installed a few weeks ago on Redhat 5 (latest version with updates applied) x86_64 using the Alfresco Wiki (instructions for Centos) as a guide.  Alfresco is running fine.

My concern is that the contentstore has filesystem permissions set to 755 (directories) and 644 (files).

Since tomcat is the owner, and tomcat is what accesses the files, why are the permissions so open (world readable)?  This means that if anyone can get a local shell of any non-priveleged user, they can read (copy) the entire collection of documents from the contentstore.  Are they set like this so that  some other component can access the contentstore when running as a different user?

While I am impressed with Alfresco thus far, this permissions issue may be the deal-killer for me, as I am responsible for keeping the files secure and world-readable permissions on important documents are not acceptable.  This goes against all of my experience as an administrator.  So, I assume I must have missed a step or done something wrong.

When I try to fix permissions with something like:

cd /var/lib/alfresco/alf_data/
chmod -R go-rwx

That breaks Alfresco (datastore integrity checks fail).

How should I tighten the permissions on the datastore without breaking Alfresco?  Was there something I should have done when installing to prevent this problem?