diff options
author | Marcel <mtrnord1@gmail.com> | 2021-04-06 12:26:47 +0000 |
---|---|---|
committer | Marcel <mtrnord1@gmail.com> | 2021-04-06 12:26:47 +0000 |
commit | 9b2f8730bb7123a29c09e87cc60b681b1b8ec3c1 (patch) | |
tree | 5620935620e464516daf6cabdcf114bb68b780ad /DEPLOY.md | |
parent | c9b1f0ca83e011e1b405873fe32bcd5c22aa2632 (diff) | |
download | conduit-9b2f8730bb7123a29c09e87cc60b681b1b8ec3c1.zip |
fix: Do not run conduit as root instead use a separate user
Diffstat (limited to 'DEPLOY.md')
-rw-r--r-- | DEPLOY.md | 22 |
1 files changed, 20 insertions, 2 deletions
@@ -18,6 +18,14 @@ $ sudo wget -O /usr/local/bin/matrix-conduit <url> $ sudo chmod +x /usr/local/bin/matrix-conduit ``` +## Adding a conduit user + +While conduit can run as any user it is usually better to use dedicated users for different services. +This also allows you to make sure that the file permissions are correctly set up. + +In debian you can use this command to create a conduit user: + +`sudo adduser --system conduit --no-create-home` ## Setting up a systemd service @@ -33,8 +41,8 @@ After=network.target [Service] Environment="CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml" -User=root -Group=root +User=conduit +Group=nogroup Restart=always ExecStart=/usr/local/bin/matrix-conduit @@ -91,6 +99,16 @@ allow_federation = true address = "127.0.0.1" # This makes sure Conduit can only be reached using the reverse proxy ``` +## Setting the correct file permissions + +As we are using a conduit specific user we need to allow it to read the config. +To do that you can run this command on debian: + +`sudo chown -R conduit:nogroup /etc/matrix-conduit` + +If you use the default database path you also need to run this. (It might be that you first need to create that folder): + +`sudo chown -R conduit:nogroup /var/lib/matrix-conduit/conduit_db` ## Setting up the Reverse Proxy |