feat: add instructions to set directory permissions on manually installs (#4413)

* feat: add instructions to set directory permissions on manually installs * fix: cleanup wording Co-authored-by: kelseiv <47797004+kelseiv@users.noreply.github.com> * fix: code cleanup * feat: add information about umask Co-authored-by: kelseiv <47797004+kelseiv@users.noreply.github.com> Co-authored-by: Scott Anderson <sanderson@users.noreply.github.com>
2022-09-06 17:32:41 -04:00 · 2022-09-06 17:32:41 -04:00 · 95e538075c
parent c42a3da154
commit 95e538075c
1 changed files with 39 additions and 0 deletions
--- a/content/influxdb/v2.4/install.md
+++ b/content/influxdb/v2.4/install.md
@ -87,6 +87,17 @@ do the following:
    `./` to run it in place.

 {{< expand-wrapper >}}
+{{% expand "<span class='req'>Recommended</span> – Set appropriate directory permissions" %}}
+
+To prevent unwanted access to data, we recommend setting the permissions on the influxdb `data-dir` to not be world readable. For server installs, it is also recommended to set a umask of 0027 to properly permission all newly created files.
+
+Example:
+
+```shell
+> chmod 0750 ~/.influxdbv2
+```
+
+{{% /expand %}}
 {{% expand "<span class='req'>Recommended</span> – Verify the authenticity of downloaded binary" %}}

 For added security, use `gpg` to verify the signature of your download.
@ -315,6 +326,17 @@ See InfluxDB [configuration options](/influxdb/v2.4/reference/config-options/) f
    `./` to run it in place.

 {{< expand-wrapper >}}
+{{% expand "<span class='req'>Recommended</span> – Set appropriate directory permissions" %}}
+
+To prevent unwanted access to data, we recommend setting the permissions on the influxdb `data-dir` to not be world readable. For server installs, it is also recommended to set a umask of 0027 to properly permission all newly created files. This can be done via the UMask directive in a systemd unit file, or by running influxdb under a specific user with the umask properly set.
+
+Example:
+
+```shell
+> chmod 0750 ~/.influxdbv2
+```
+
+{{% /expand %}}
 {{% expand "<span class='req'>Recommended</span> – Verify the authenticity of downloaded binary" %}}

 For added security, use `gpg` to verify the signature of your download.
@ -420,6 +442,23 @@ Expand the downloaded archive into `C:\Program Files\InfluxData\` and rename the
 > mv 'C:\Program Files\InfluxData\influxdb2-{{< latest-patch >}}-windows-amd64' 'C:\Program Files\InfluxData\influxdb'
 ```

+{{< expand-wrapper >}}
+{{% expand "<span class='req'>Recommended</span> – Set appropriate directory permissions" %}}
+
+To prevent unwanted access to data, we recommend setting the permissions on the influxdb `data-dir` to not be world readable.
+
+Example:
+
+````powershell
+> $acl = Get-Acl "C:\Users\<username>\.influxdbv2"
+> $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","Read","Deny")
+> $acl.SetAccessRule($accessRule)
+> $acl | Set-Acl "C:\Users\<username>\.influxdbv2"
+
+{{% /expand %}}
+{{< /expand-wrapper >}}
+
+
 ## Networking ports
 By default, InfluxDB uses TCP port `8086` for client-server communication over
 the [InfluxDB HTTP API](/influxdb/v2.4/reference/api/).