From 90114fae9ea6a2340edd05eb72184bf2ab5584d2 Mon Sep 17 00:00:00 2001 From: Azareal Date: Wed, 22 Aug 2018 21:02:14 +1000 Subject: [PATCH] Update the installation instructions with something a little more hardened. --- README.md | 10 +++++++++- gosora_example.service | 9 +++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 88cbfbb3..8ba0dbfa 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,9 @@ First, you will need to jump to the place where you want to put the code, we wil If you place it in `/www/`, `/public_html/` or any similar folder, then there's a chance that your server might be compromised. -You can navigate to your installation of Gosora by typing the following commands into the console and hitting enter: +The following commands will pull the latest copy of Gosora off the Git repository, will create a user account to run Gosora as, will set it as the owner of the files and will start the installation process. + +Please type these into the console and hit enter: cd /home/ @@ -85,6 +87,12 @@ git clone https://github.com/Azareal/Gosora mv Gosora src +useradd gosora + +chown -R gosora src + +chgrp -R www-data src + cd src chmod 755 ./install-linux diff --git a/gosora_example.service b/gosora_example.service index 4cac71f5..97f147cd 100644 --- a/gosora_example.service +++ b/gosora_example.service @@ -3,22 +3,19 @@ Description=Gosora [Service] -Type=simple -# You might want to create a user / group for Gosora and set these to further harden your system, although this this might not work right now, if we're listening directly on port 80 / 443 -#User=gosoraservice -#Group=gosoraservice +User=gosora +Group=www-data Restart=on-failure RestartSec=10 # Set these to the location of Gosora WorkingDirectory=/home/gosora/src +AmbientCapabilities=CAP_NET_BIND_SERVICE # Make sure you manually run pre-run-linux before you start the service ExecStart=/home/gosora/src/Gosora -# If things don't work for some reason, try putting # in-front of the following three lines until it does and open an issue on the bug tracker ProtectSystem=full PrivateDevices=true -PrivateUsers=true [Install] WantedBy=multi-user.target \ No newline at end of file