I am writing because I have a concern about how ERPNext handles files at rest on the server. There are two aspects that I am concerned with. The first I started here with a conversation on how to set the default file handling to private, instead of public on document attachments
This needs to be addressed because most users are not going to ensure that every file is set to private before attaching. I am having to go through my system every other day and fixing these issues by hand. ERP holds and manages A LOT of sensitive information for our business (and I assume everyone else’s business that uses the platform). There are many elements to what can be in an attachment and the majority of it can be sensitive to operations. By having files be public by default means that anyone can browse the file repository with a simple wget script against your URL. Not good…
My next concern has to do with the files on the server itself. These are not protected at all. If a person was able to gain access to the server, they will be able to see every file, even the private ones since they are simply dropped to the file system. Out of the box, the
sites/[site name] directory has read and execute permissions for “other”. Here is an example of the private and public folders on my production site.
drwxr-xr-x 4 erpnext erpnext 4096 Oct 19 2016 private drwxr-xr-x 3 erpnext erpnext 4096 Oct 19 2016 public
This means that ANY USER, even a non-root user can access the files!
Moving into the private/files and private/backups directories does improve things a little. The default permissions is
644 (-rw-r--r--). But this does mean that anyone can read the files!
So, there are some suggestions I would like to make and see what others think as well.
First - change the file permissions so that only the erpnext user has any rights. This means that at sites, the permissions would be
600 (-rw-------) for all files and
700 (drwx------) for directories. Bench should be changed to ensure that these permissions are enforced at every time bench is run (no matter the command given).
This will probably require a change in the nginx.conf file, but I am not sure. Once I can get my dev environment fixed (Error in update to latest 8.0.29) I will look into this and document any changes needed.
Second - ERPNext should be configured to encrypt all data at rest. This includes the database, tables and all data as well as ALL files on the filesystem, especially the files in the private directory, which includes backups as well as the regular private document attachments. However, public files could use the treatment as well and the frappe framework would be the “thing” that determines security on the file before allowing a browser to see it and not the web server.
I realize that what I am asking is alot, especially of the foundation and the development team. However, in our highly interconnected world, security for platforms such as ERPNext needs to be very high on the list.
I look forward to your thoughts.