BookStack requires the ability to write and read files for various uses such as writing logs, handling file uploads and running application code. Ideally, files permissions should be limited to just what’s required to reduce the chance of potential vulnerability exploit.
By default, BookStack requires the following permissions:
- Read access to the BookStack install folder and everything within.
- Write permission to the following folders, relative to the BookStack installation directory, and everything within:
Note: This access is likely controlled by the user/group of the PHP and/or web-server processes.
Additionally, you may want to ensure read access the
.env file is limited as much as possible, to just PHP/web-server process and any trusted users that may need to update it, since this file can often contain credentials and keys.
Example Permissions Approach
This section provides an approach for setting permissions for your BookStack instance, which allows updating by the login user while providing the web-server with the required permissions.
The below makes the following assumptions, you will need to change these parts of the command to make it work for you:
- Your normal login user (That you may run updates with) is called
- Your BookStack install folder is located at
- Your web-server/php user is called
www-data(Default on Ubuntu systems).
Lines starting with
# are comments.