From dc4214a8ca0e735c58f7b7af224b5f31c16e277c Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Wed, 17 Feb 2021 02:09:01 -0500 Subject: [PATCH] suggest 0700 permissions for the role user homedir --- docs/MANUAL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/MANUAL.md b/docs/MANUAL.md index 51039c3e..c1421d81 100644 --- a/docs/MANUAL.md +++ b/docs/MANUAL.md @@ -180,7 +180,7 @@ The recommended way to operate oragono as a service on Linux is via systemd. Thi The only major distribution that currently packages Oragono is Arch Linux; the aforementioned AUR package includes a systemd unit file. However, it should be fairly straightforward to set up a productionized Oragono on any Linux distribution. Here's a quickstart guide for Debian/Ubuntu: -1. Create a dedicated, unprivileged role user who will own the oragono process and all its associated files: `adduser --system --group oragono`. This user now has a home directory at `/home/oragono`. +1. Create a dedicated, unprivileged role user who will own the oragono process and all its associated files: `adduser --system --group oragono`. This user now has a home directory at `/home/oragono`. To prevent other users from viewing Oragono's configuration file, database, and certificates, restrict the permissions on the home directory: `chmod 0700 /home/oragono`. 1. Copy the executable binary `oragono`, the config file `ircd.yaml`, the database `ircd.db`, and the self-signed TLS certificate (`fullchain.pem` and `privkey.pem`) to `/home/oragono`. (If you don't have an `ircd.db`, it will be auto-created as `/home/oragono/ircd.db` on first launch.) Ensure that they are all owned by the new oragono role user: `sudo chown oragono:oragono /home/oragono/*`. Ensure that the configuration file logs to stderr. 1. Install our example [oragono.service](https://github.com/oragono/oragono/blob/master/distrib/systemd/oragono.service) file to `/etc/systemd/system/oragono.service`. 1. Enable and start the new service with the following commands: