Problem
The .env file has mode 600 (owner-only read/write) but is owned by deploy:prod-readers. This prevents group members from reading the file.
-rw------- 1 deploy prod-readers 2058 Feb 3 16:16 .env
While the systemd service runs as deploy user (can read), this violates the principle of least surprise since the group is set to prod-readers but can't actually read.
Impact
- Group members cannot read configuration
- Inconsistent with file ownership model
- May cause issues if other processes need access
Solution
Change permissions to 640 to enable group read:
sudo chmod 640 /home/deploy/prod/audio-analysis-mcp/.env
Result:
-rw-r----- 1 deploy prod-readers 2058 Feb 3 16:16 .env
Labels
P2-medium - Should fix but not blockingtype:bug - Incorrect file permissionsarea:deployment - Configuration
Problem
The
.envfile has mode600(owner-only read/write) but is owned bydeploy:prod-readers. This prevents group members from reading the file.While the systemd service runs as
deployuser (can read), this violates the principle of least surprise since the group is set toprod-readersbut can't actually read.Impact
Solution
Change permissions to
640to enable group read:Result:
Labels
P2-medium- Should fix but not blockingtype:bug- Incorrect file permissionsarea:deployment- Configuration