documentation icon indicating copy to clipboard operation
documentation copied to clipboard
verified publisher icon writefreely

Document how to run writefreely under a separate user

Open glyn opened this issue 1 year ago • 9 comments

Following the Getting Started page results in the writefreely server process running as root, which is far from ideal from a security perspective. It would be better to create a separate user and run the server process under that user.

See https://github.com/writefreely/writefreely/issues/85 for more context.

glyn avatar Jul 09 '24 10:07 glyn

@thebaer I was going to take a crack at a PR for this issue, but I can't find the Getting Started page in the docs repo or in the main writefreely repo for that matter. Please could you tell me where it is?

glyn avatar Jul 09 '24 12:07 glyn

Thanks for taking a look at this @glyn! Sorry for the confusion -- we hadn't added it to this repo. You'll now find it at start.md.

thebaer avatar Aug 13 '24 19:08 thebaer

Thanks. I'll take a look in due course.

glyn avatar Aug 15 '24 16:08 glyn

I started to look at this, but since I don't use MySQL, I'm not going to be able to ensure correct instructions.

FWIW, on Debian, I followed the current installation instructions and then created a user (without a home directory):

# adduser --system writefreely

and changed the permissions of the writefreely installation directory:

# chown -R writefreely [writefreely installation directory]

Then I changed the systemd service definition to run writefreely under its own user:

...
[Service]
Type=simple
User=writefreely
...

glyn avatar Aug 28 '24 10:08 glyn

No worries, I can verify all of the MySQL side for you. But those instructions look good to me!

thebaer avatar Sep 17 '24 18:09 thebaer

Hi guys, It's not enough to just run under specific user. You should also consider options restricting system access in general, like the ones described in this document: https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04#file-systemd_service_hardening-md

denis-gz avatar Jan 27 '25 12:01 denis-gz

"Thanks" for that. 🤯

Running under a specific user is better than running as root. It may be sufficient for the purpose of this issue simply to document the need to restrict system access in general.

I personally find systemd boggling and would have no confidence whatsoever in any given choice of configuration options, so I think that could be made a separate issue, which could be addressed by someone who claims to know what they are doing. Plus not everyone will be running systemd, so we might not want to get into those details.

glyn avatar Jan 27 '25 15:01 glyn

I personally find systemd boggling and would have no confidence whatsoever in any given choice of configuration options

Well, at least it allows you to run a unit in chroot jail (via RootDirectory option), something that WriteFreely should implement itself in the first place. I think it's the best option, and not that hard to setup. I can share my writefreely.service unit I created today, with working chroot.

denis-gz avatar Jan 27 '25 16:01 denis-gz

This is all helpful, but I think it's scope creep and deserves a separate issue.

glyn avatar Jan 27 '25 16:01 glyn