curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post(rsync-nixos): disable createHome to prevent reverting to chmod 700 

- retain world-readable/chmod 755
This commit is contained in:
Ming Di Leom 2021-06-13 00:00:57 +00:00
parent 635ddd3f72
commit 365f937665
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
source/_posts/rsync-setup-nixos.md
View File

@ -37,8 +37,9 @@ Create a separate user with home folder set to where web server will be deployed
www-data = { www-data = {
openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 ..." ];
home = "/var/www"; home = "/var/www";
# Remove this line after "/var/www" is created
createHome = true; createHome = true;
## Required for rsync # Required for rsync
useDefaultShell = true; useDefaultShell = true;
}; };
}; };
@ -53,6 +54,8 @@ Home folder is not world-readable by default, so if you start a web server using
chmod +xr /var/www chmod +xr /var/www
``` ```
Make sure `users.users.www-data.createHome` setting is removed/disabled, otherwise `/var/www` will become non-world-readable after an upgrade.
### Hide dotfiles in web server ### Hide dotfiles in web server
`useDefaultShell` grants a shell to the user and the shell may generate dotfiles to home folder (e.g. `~/.bash_history`/`~/.bashrc`). In practice, those files will be removed automatically every time rsync runs. As a precaution, you should configure the web server not to expose those dotfiles. `useDefaultShell` grants a shell to the user and the shell may generate dotfiles to home folder (e.g. `~/.bash_history`/`~/.bashrc`). In practice, those files will be removed automatically every time rsync runs. As a precaution, you should configure the web server not to expose those dotfiles.