Menu
▾
▴
Re: [Exist-open] Securing my exist-db
|
From: Øyvind G. <oyv...@gm...> - 2022-01-12 21:01:05
|
Hi Nick, I think this is supposed to happen, and is part of the nologin you added. The section under https://exist-db.org/exist/apps/doc/advanced-installation#linux also seems to follow the production good practice guide for creating a user, and it also shows how to set up a systemd service which runs the application as that exist-user. I think you can probably also start the service manually for testing by running "sudo -u exist-user $EXIST_HOME/bin/startup.sh". Best regards, Øyvind Gjesdal ons. 12. jan. 2022 kl. 19:32 skrev Nick Sincaglia <nsi...@nu...>: > I am in the process of setting up a brand new server with eXist-db running > on it. I am paying particular attention in trying to make this server as > secure as possible. I am not a linux administrator by training but I know > decent amount to be able to follow directions. > > The eXist-db website has a best practices page for setting up eXist-db > here: > https://exist-db.org/exist/apps/doc/production_good_practice.xml > > Under the "Operating System Permissions" section it states the following: > "*Typically we would recommend creating an exist user account and exist > user group with no login privileges (no shell and empty password), changing > the permissions of the eXist-db installation to be owned by that user and > group. Then run eXist-db using those credentials.*" > > I am using AWS Linux and I am able to SSH into the server as "ec2-user". I > created a new user "exist-user" using the "adduser" command. I then tried > to remove login privileges by typing the command: > >sudo usermod exist-user -s /sbin/nologin > > This successfully removed login privileges for 'exist-user', however, > when I try to switch my ec2-user to exist-user I get the notification "This > account is currently not available." > > I believe I must be misunderstanding the what the best practices > recommendation is trying to tell me. What do I need to do to create a user *"with > no login privileges (no shell and empty password)"? *Can someone explain? > > Nick > > -- > Nick Sincaglia > President/Founder > NueMeta, LLC > Digital Media & Technology > Phone: +1-...@nu... http://www.nuemeta.com > Skype: nsincaglia > > _______________________________________________ > Exist-open mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-open > |
