diff options
Diffstat (limited to '')
| -rw-r--r-- | doc/guide.tex | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/doc/guide.tex b/doc/guide.tex index 57a227cf..5dc35331 100644 --- a/doc/guide.tex +++ b/doc/guide.tex @@ -361,7 +361,7 @@ The files and directories created are, by default: \titem{/sbin/ejabberdctl} Administration script \titem{/var/lib/ejabberd/} \begin{description} - \titem{.erlang.cookie} Erlang cookie file + \titem{.erlang.cookie} Erlang cookie file (see section \ref{cookie}) \titem{db} Mnesia database spool files \titem{ebin} Binary Erlang files (*.beam) \titem{priv} @@ -3809,7 +3809,7 @@ an account with proper privileges. \ejabberd{} uses the distributed Mnesia database. Being distributed, Mnesia enforces consistency of its file, -so it stores the name of the Erlang node in it. +so it stores the name of the Erlang node in it (see section \ref{nodename}). The name of an Erlang node includes the hostname of the computer. So, the name of the Erlang node changes if you change the name of the machine in which \ejabberd{} runs, @@ -3889,8 +3889,9 @@ erl ... -kernel inet_dist_listen_min 4370 inet_dist_listen_max 4375 \makesection{cookie}{Erlang Cookie} The Erlang cookie is a string with numbers and letters. -An Erlang node reads the cookie at startup from the command-line parameter \term{-setcookie} -or from a cookie file. +An Erlang node reads the cookie at startup from the command-line parameter \term{-setcookie}. +If not indicated, the cookie is read from the cookie file \term{\$HOME/.erlang.cookie}. +If this file does not exist, it is created immediately with a random cookie. Two Erlang nodes communicate only if they have the same cookie. Setting a cookie on the Erlang node allows you to structure your Erlang network and define which nodes are allowed to connect to which. @@ -3922,6 +3923,32 @@ using a modified version of Erlang \term{epmd}. The recommended way to secure the Erlang node is to block the port 4369. +\makesection{secure-files}{Securing sensible files} + +\ejabberd{} stores sensible data in the file system either in plain text or binary files. +The file system permissions should be set to only allow the proper user to read, +write and execute those files and directories. + +\begin{description} + \titem{ejabberd configuration file: /etc/ejabberd/ejabberd.cfg} + Contains the JID of administrators + and passwords of external components. + The backup files probably contain also this information, + so it is preferable to secure the whole \term{/etc/ejabberd/} directory. + \titem{ejabberd service log: /var/log/ejabberd/ejabberd.log} + Contains IP addresses of clients. + If the loglevel is set to 5, it contains whole conversations and passwords. + If a logrotate system is used, there may be several log files with similar information, + so it is preferable to secure the whole \term{/var/log/ejabberd/} directory. + \titem{Mnesia database spool files: /var/lib/ejabberd/db/*} + The files store binary data, but some parts are still readable. + The files are generated by Mnesia and their permissions cannot be set directly, + so it is preferable to secure the whole \term{/var/lib/ejabberd/db/} directory. + \titem{Erlang cookie file: /var/lib/ejabberd/.erlang.cookie} + See section \ref{cookie}. +\end{description} + + \makechapter{clustering}{Clustering} \ind{clustering} |