Just wondering out loud, but how many folks really use /home/pydio rather than customizing the home dir and how many allow a pydio user as documented? (allowing SSH).
I am wondering why that step (SSH) in particular seems to missing any comment in the docs. Any side effects that anyone has noticed to blocking SSH remote access to Pydio or changing the home dir to something like /var/pydio or what do you use?
Am I overthinking it (and I don’t think I am overthinking the SSH methinks)…
Actually you can use any home directory that you wish to.
Cells will create by default when ran with a user (I would advise against running Cells with root user) its config and data folder inside
In the documentation to keep track and make sure that everything is easy to configure we assume that everything is done by the user
pydio and its home dir
/home/pydio, you can swap the user with another, but it is good practice to have a dedicated user for Cells.
You can also block access to other commands for the user
pydio except setcap ( to at least be able to use port 80/443).
Also for the SSH access, Cells does not need it therefore you can disable it for the user Pydio.
If you have any other question or if my answer was not clear do not hesitate to ask other questions.
we are also currently working on images for various cloud providers. We tend unify the convention we use for production systems and the layout we are coming with is as follow:
- user pydio with no sudo right / no direct ssh access.
- working folder is set to
- we have added a
/opt/pydio folder that contains a bin subfolder with binaries and specific scripts, some ReadMe and the Eulas + a conf folder for spdecific launch time configuration
- we use a sysadmin user with full sudo permissions for administrative tasks.
Lately, as @zayn explained, we are experiencing with adding on specific sudo right to pydio user so that we can add this line in our systemd service file, and thus avoid having to manually do the setcap when updating the app:
ExecStartPre=/usr/bin/sudo /sbin/setcap 'cap_net_bind_service=+ep' /opt/pydio/bin/cells
You can also find a similar layout in our docker images.
This said, we would greatly appreciate feedback on the subject: do not hesitate to share your thoughts, ideas, critics: we would be glad to enhance things in the next releases.
We know we also have to then improve the documentation on this, but it is a long process (a.k.a PR are welcomed if you have ideas to enhance the docs … everything is opensource on github,   so feelfree to help)
I am working on it now… and testing and seeing what I can do and can’t do and trying to see what breaks. First to get it running as I want, then to start doing things like /bin/false or /bin/nologin etc
But this is useful, so i can block everything except setcap? and no incoming SSH needed (actually, I do, but I know with the new approach I have to use sshfs)
Ty. I will update as ideas thoughts to issue a PR as it occurs to me.