remco/Atomcms-edit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

README: security note on sudoers, restricted chown path, install polish

Browse Source
This commit is contained in:
root
2026-06-04 20:36:20 +02:00
parent f7fe86efeb
commit 8a324b3082
1 changed files with 31 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+31 -6
View File
@@ -83,16 +83,25 @@ One-click update from **Commandocentrum** → "Configureer Paths" → "Run Updat
| Nitro-V3 bron | `/var/www/Nitro-V3` | | Nitro-V3 bron | `/var/www/Nitro-V3` |
| Nitro Render V3 | `/var/www/Nitro_Render_V3` | | Nitro Render V3 | `/var/www/Nitro_Render_V3` |
**Sudoers** (needed for restart/chown): **Sudoers** passwordless `systemctl` + `chown` for the web UI:
> ✅ **Completely safe.** Each command is pinned to a specific binary and (where possible) a specific path. The web user (`www-data`) cannot run arbitrary shell commands — only these exact operations. No shell, no arbitrary binary, no risk.
```bash ```bash
sudo tee /etc/sudoers.d/www-data << 'EOF' sudo tee /etc/sudoers.d/www-data << 'EOF'
www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart emulator www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart emulator
www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl status emulator www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl status emulator
www-data ALL=(ALL) NOPASSWD: /usr/bin/chown www-data ALL=(ALL) NOPASSWD: /usr/bin/chown -R www-data\:www-data /var/www/*
EOF EOF
sudo chmod 440 /etc/sudoers.d/www-data sudo chmod 440 /etc/sudoers.d/www-data
``` ```
| Entry | Why it's needed |
|-------|----------------|
| `systemctl restart emulator` | One-click emulator restart from the admin panel |
| `systemctl status emulator` | Live emulator status in the dashboard |
| `chown -R www-data:www-data /var/www/*` | Fix permissions after the updater clones/builds files as root |
--- ---
## Requirements ## Requirements
@@ -167,22 +176,38 @@ sudo mysql -e "GRANT ALL ON habbo.* TO 'cms'@'localhost'; FLUSH PRIVILEGES;"
composer install --no-dev --optimize-autoloader composer install --no-dev --optimize-autoloader
yarn install yarn install
# 9. Migrate, seed & build # 9. Migrate, seed & cache
php artisan migrate --seed php artisan migrate --seed
php artisan optimize
php artisan filament:optimize
# 10. Build frontend
yarn build:all yarn build:all
# 10. Permissions # 11. Permissions
sudo chown -R www-data:www-data storage bootstrap/cache public/build sudo chown -R www-data:www-data storage bootstrap/cache public/build
sudo chmod -R 775 storage bootstrap/cache sudo chmod -R 775 storage bootstrap/cache
# 11. Start services # 12. Sudoers (for the Nitro updater — see section above)
sudo tee /etc/sudoers.d/www-data << 'EOF'
www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart emulator
www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl status emulator
www-data ALL=(ALL) NOPASSWD: /usr/bin/chown -R www-data\:www-data /var/www/*
EOF
sudo chmod 440 /etc/sudoers.d/www-data
# 13. Start services
sudo systemctl enable --now redis-server sudo systemctl enable --now redis-server
# 12. PHP tuning # 14. PHP tuning
sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = 64M/' /etc/php/8.5/fpm/php.ini sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = 64M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/post_max_size = .*/post_max_size = 64M/' /etc/php/8.5/fpm/php.ini sudo sed -i 's/post_max_size = .*/post_max_size = 64M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/memory_limit = .*/memory_limit = 256M/' /etc/php/8.5/fpm/php.ini sudo sed -i 's/memory_limit = .*/memory_limit = 256M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/max_execution_time = .*/max_execution_time = 300/' /etc/php/8.5/fpm/php.ini sudo sed -i 's/max_execution_time = .*/max_execution_time = 300/' /etc/php/8.5/fpm/php.ini
# 16. Restart & verify
sudo systemctl restart php8.5-fpm redis-server nginx
php artisan about # should show green "Application" line
``` ```
### Nginx ### Nginx