diff options
author | Antoni Sawicki <tenox@google.com> | 2022-03-24 02:59:39 -0700 |
---|---|---|
committer | Antoni Sawicki <tenox@google.com> | 2022-03-24 02:59:39 -0700 |
commit | 79d6d2fa1e660852fdf694432f48cad16129253c (patch) | |
tree | 4695b59dc602133b529c91014ebf10998dcfc788 | |
parent | 38b716655678cf3b06ca8b412044e49be06ad8e4 (diff) | |
download | wfm-79d6d2fa1e660852fdf694432f48cad16129253c.tar.gz |
add 8080 example and readme update
-rw-r--r-- | README.md | 38 | ||||
-rw-r--r-- | service/systemd/wfm80.service (renamed from service/systemd/wfm.service) | 0 | ||||
-rw-r--r-- | service/systemd/wfm8080.service | 22 |
3 files changed, 41 insertions, 19 deletions
@@ -12,34 +12,34 @@ sharing site or a lightweight Content Management System (CMS). WFM can also serv public, static html files from a selected directory which you can manage from the private interface. See usage scenarios for more information. -WFM is a standalone service with it's own web server. It runs from systemd, sysvinit, -launchd, bsd rc or Docker. TLS/SSL is supported with automatic certificate generation -by Lets Encrypt / Certbot / ACME. - -Written in Go language, much like Docker, Kubernetes, Hugo, etc. The binary is -fully self contained and has zero dependencies. No need for Python, PHP, SQL, JavaScript, -Node or any other bloat. WFM works on both modern and old web browsers going back to +WFM is a standalone service with it's own web server. No need for Apache, Nginx or +anything else. It directly runs from systemd, sysvinit, launchd, bsd rc or Docker. +TLS/SSL is supported with automatic certificate generation by Lets Encrypt / Certbot. + +Written in Go language, much like Docker, Kubernetes, Hugo, etc. The binary is statically +linked, fully self contained and has zero external dependencies. Icons are Unicode +emojis. CA Certs are embedded at built time. No need for Python, PHP, SQL, JavaScript, +Node or any other bloat. WFM works on both modern and legacy web browsers going back to Internet Explorer 2.x and Netscape 3.x. It outputs validated HTML 4.01 without JavaScript. ## Deployment scenarios -For security reasons WFM doesn't have any provisions for specifying what directory to use. -It always uses root dir / and solely relies on chroot for limiting to the jail directory. - -Chroot can be set by WFM own `-chroot=/dir` flag or by Systemd `RootDirectory=`. Also -depending on what port you want WFM to listen to (eg 80/443 vs 8080) you need to run it -as root or regular user. If ran by root WFM support flag `-setuid=user` to setuid after -port bind is complete. +WFM relies on chroot for limiting which directory to use. Chroot can be set by WFM own +`-chroot=/dir` flag or by Systemd `RootDirectory=`. Also depending on what port you want +WFM to listen to (eg 80/443 vs 8080) you need to run it as root or regular user. If ran +by root WFM supports flag `-setuid=<user>` to setuid after port bind is complete. ### Systemd -An example service file is provided [here](systemd/wfm.service). By default it starts the -process as root to allow to bind to port 80. You can specify destination directory in -`-chroot=/datadir` and user to run as in `-setuid=myuser`. WFM will automatically chroot -and setuid after port bind is complete. +An example service file is provided [here](service/systemd/wfm80.service). By default it +starts the process as root to allow to bind to port 80. You can specify destination +directory in `-chroot=/datadir` and user to run as in `-setuid=myuser`. WFM will +automatically chroot and setuid after port bind is complete. You can specify Systemd `User=` other than root if you also use `RootDirectory=` for -chroot, a non privileged port (above 1024) or your binary has adequate capabilities set. +chroot and use non privileged port (above 1024, eg 8080), or your binary has adequate +capabilities set. Example [here](service/systemd/wfm80.service). + ### Docker diff --git a/service/systemd/wfm.service b/service/systemd/wfm80.service index e3e7046..e3e7046 100644 --- a/service/systemd/wfm.service +++ b/service/systemd/wfm80.service diff --git a/service/systemd/wfm8080.service b/service/systemd/wfm8080.service new file mode 100644 index 0000000..e6e4abc --- /dev/null +++ b/service/systemd/wfm8080.service @@ -0,0 +1,22 @@ +[Unit] +Description=Web File Manager +After=network.target + +[Service] +User=myuser +RootDirectory=/home/myuser +ExecStart=/usr/local/sbin/wfm -addr=:8080 +Restart=on-failure +SuccessExitStatus=3 4 +RestartForceExitStatus=3 4 +RestartSec=60 + +# Hardening +ProtectSystem=full +PrivateTmp=true +SystemCallArchitectures=native +MemoryDenyWriteExecute=true +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target |