Menu
▾
▴
Re: [Exist-open] Securing my exist-db
|
From: Pietro L. <pie...@gm...> - 2022-01-13 04:01:34
|
Dear Nick, I also use the systemd solution and since I learned that from exist, I use that for everything I can in the same way. The location of exist and the data directory is owned by the user named in the systemd configuration. all best Pietro Maria Liuzzo (egli/lui,he/him,er/ihn) cel (DE): +49 (0) 176 61 000 606 Skype: pietro.liuzzo (Quingentole) ORCID: https://orcid.org/0000-0001-5714-4011 Academia: https://uni-hamburg.academia.edu/PietroMariaLiuzzo > Il giorno 12 gen 2022, alle ore 22:00, Øyvind Gjesdal <oyv...@gm...> ha scritto: > > Hi Nick, > > I think this is supposed to happen, and is part of the nologin you added. The section under https://exist-db.org/exist/apps/doc/advanced-installation#linux <https://exist-db.org/exist/apps/doc/advanced-installation#linux> also seems to follow the production good practice guide for creating a user, and it also shows how to set up a systemd service which runs the application as that exist-user. I think you can probably also start the service manually for testing by running "sudo -u exist-user $EXIST_HOME/bin/startup.sh". > > Best regards, > Øyvind Gjesdal > > ons. 12. jan. 2022 kl. 19:32 skrev Nick Sincaglia <nsi...@nu... <mailto:nsi...@nu...>>: > I am in the process of setting up a brand new server with eXist-db running on it. I am paying particular attention in trying to make this server as secure as possible. I am not a linux administrator by training but I know decent amount to be able to follow directions. > > The eXist-db website has a best practices page for setting up eXist-db here: > https://exist-db.org/exist/apps/doc/production_good_practice.xml <https://exist-db.org/exist/apps/doc/production_good_practice.xml> > > Under the "Operating System Permissions" section it states the following: > "Typically we would recommend creating an exist user account and exist user group with no login privileges (no shell and empty password), changing the permissions of the eXist-db installation to be owned by that user and group. Then run eXist-db using those credentials." > > I am using AWS Linux and I am able to SSH into the server as "ec2-user". I created a new user "exist-user" using the "adduser" command. I then tried to remove login privileges by typing the command: > >sudo usermod exist-user -s /sbin/nologin > > This successfully removed login privileges for 'exist-user', however, when I try to switch my ec2-user to exist-user I get the notification "This account is currently not available." > > I believe I must be misunderstanding the what the best practices recommendation is trying to tell me. What do I need to do to create a user "with no login privileges (no shell and empty password)"? Can someone explain? > > Nick > > -- > Nick Sincaglia > President/Founder > NueMeta, LLC > Digital Media & Technology > Phone: +1-630-303-7035 > nsi...@nu... <mailto:nsi...@nu...> > http://www.nuemeta.com <http://www.nuemeta.com/> > Skype: nsincaglia > _______________________________________________ > Exist-open mailing list > Exi...@li... <mailto:Exi...@li...> > https://lists.sourceforge.net/lists/listinfo/exist-open <https://lists.sourceforge.net/lists/listinfo/exist-open> > _______________________________________________ > Exist-open mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-open |
