Changed the docs to explain more deeply how to set up the database more

[mir.git] / doc / INSTALL.mir

Here is a short installation-howto of Mir.


prerequisites: 

- tomcat 
- apache with mod_jk.so 
- postgres 7.1.x
- ant (a java-based make) 
- jaxp-1.1 (a SAX 2.0 compliant XML parser, comes with ant >= 1.4)

1. checkout the cvs

CVS LOGIN:

        cvs -d :pserver: cvsanon@brazil.indymedia.de:/var/cvs login 
        password: cvs 

CVS CHECKOUT:

        cvs -d :pserver: cvsanon@brazil.indymedia.de:/var/cvs co mir 


2. customize the config: 

        cd mir/source 
        cp config.properties-dist config.properties 

now customize config.properties for your needs.


3. configure the build.xml file if neccessary
    cd ..
    cp build.xml-new build.xml


4. configure the perms.sh file if neccessary -- IMPORTANT! READ THIS!
We provide a script that sets all files' and direcories' permissions to
a quite reasonable state. This script gets automagically called by
ant after compilationl. The most important thing you have to do after
compiling Mir is to ensure that the log files -- especially 
dbentity.log -- are not readable by users that could compromise 
system security, because all passwords and the like will be logged here.
        
        cp perms.sh-dist perms.sh

Now, change the install directory and group in perms.sh

        edit perms.sh 


5. copy the mir/templates-dist-directory to mir/templates


6. compile 
Do this as root so the permissions script is able to set
the permissions and owners correctly.

    ant 


7. Link in the webapps directory of tomcat to the install directory (the 
directory is called "Mir" and is located in the same directory in which 
you installed the "mir" directory). 
        cd /usr/share/tomcat/webapps
        ln -s Mir-install-dir Mir

8. Modify your tomcat startup script and add an LD_LIBRARY_PATH variable
that points to the WEB-INF/lib directory of your Mir install dir. (called
"Mir"). Add something like the following at the top of tomcat.sh (tomcat.sh
is found in the "bin/" dir. under $TOMCAT_HOME):
    LD_LIBRARY_PATH=/path/to/Mir-install-dir/WEB-INF/lib

An alternaive way to avoid this is to copy any dynamic library files 
ending with ".so" in WEB-INF/lib to your jre/jdk lib directory (where the 
other ".so" files live). Or, you can skip the whole thing and live without
"native" acceleration for image manipulation


9a. create a new database 
The database name should be the same as in config.properties. Please look at
the section "Database.*" to look up the names or change them to your needs. 

It is wise in terms of system seurity to use an unprivileged user for this
task instead of the superuser. This is because if Mir uses the superuser to
connect to the database and anybody manages to find out the password Mir 
uses to connect, the attacker can take over the complete database. So, in
the following examples, we assume that the database name is "Mir", the
database user will be "mir" and the password is "joshua". Please note that
this particular password is far from being a good one. Watch "Wargames" for
details. =B) 

To access the database as the database superuser, you either have to log in
as postgres on Unix level (which we don't recommend because you will need
another user to have a login shell and a password which makes system
penetration more likely) or you have to tell PostgreSQL with each
application call that you want to connect as a specific user. If you access
the database from any other user's account, use the -U flag to connect to
PostgreSQL as the database superuser ("postgres"):

        createdb -U postgres Mir 

Please note that if you create the database from inside the psql application,
the database name will likely be converted to lowercase letters.


9b. create an unprivileged database user for Mir
First, connect to the database as the database's superuser. 

        psql -U postgres Mir

Now we create the actual user. Please choose a password that is hard to 
guess instead of "joshua". Good passwords have characters and numerals in
it, have no link to its owner (like being her birthday, age, name of her 
husband, dog, child, car, favourite beer brand). A good password looks like
this: "8ncx4un".
    
    CREATE USER Mir WITH PASSWORD 'joshua' NOCREATEDB NOCREATEUSER;


9c. create base table
Please note that we use the superuser "postgres" to connect to the "Mir"
database, /not/ the user "mir". 

        psql -Upostgres -f dbscripts/create_pg.sql Mir
    for i in dbscripts/help*.sql ; do psql -Upostgres -f $i Mir ; done
    for i in dbscripts/populate*.sql ; do psql -Upostgres -f $i Mir ; done


9d. Apply neccessary changes to config.properties

Please open config.properties and look for the lines that begin with
"Database.". The interesting properties are "Username", "Password", "Host"
and "Name". Change these properties so that they reflect the settings you
used to create the database and the user.

You should make sure that no copy of config.properties (neither in mir nor
in Mir/src nor in Mir/WEB-INF/classes nor in the directory tree you compiled
Mir from) is world-readable. Else you wouldn't have to install a password,
anyway.


9e. Setup PostgreSQL so that all connections have to pass a password

In /etc/postgresql/pg_hba.conf you should make sure that nobody can
use the database without a password:

local            all                                                                               password
host         all         127.0.0.1     255.0.0.0           password
host         all         0.0.0.0       0.0.0.0             reject

This means: All local connections (i.e. psql without "-h hostname" option)
have to authenticate themselves with a password. All connections from
localhost (127.0.0.1) have to supply a password, too. All other connections
are rejected. This line doen't have to be there if you have a properly
configured firewall but even if you do have one, it adds to the security in
case an attacker penetrates the firewall by some hack.

If you can't access PostgreSQL after this for any reason, try and change
"password" in /etc/postgresql/pg_hba.conf to "trust". This should disable
any authentication method and make the database accessible again. Please use 
this setting only temporarily because anybody who can access the PostgreSQL
server could take over the database completely this way. After you fixed
your password setting, switch the setting back to "password".
You may want to change your PostgreSQL password from time to time to make
database takeover harder. Rememer: Security is a process.



10. Add the dupe prevention trigger to the database:
        cd dbscripts/dupetrigger
        
        There, read INSTALL and follow the instructions.
        

11. restart tomcat 

12. configure mod_jk 

insert the following patch into /etc/apache/httpd.conf. Edit the directories
to suit your needs.

<IfModule mod_jk.c>
JkWorkersFile /usr/share/tomcat/conf/workers.properties
Include /usr/share/tomcat/conf/mod_jk.conf-auto
</IfModule>

Do not put any JkMount lines into your httpd.conf!

If mod_jk.conf-auto doesn't get written or is 0 bytes in size, check your
system for file ownership/permissions problems.



that's it :)

now the admin-application is accesable via:  

        http://host/Mir 

and the openposting-servlet via  
        
        http://host/OpenMir

standard login is redaktion/indymedia



TROUBLESHOOTING

You can give these a try if anything goes wrong:

+ Restart Tomcat. Especially after compiling the sources Tomcat has to be
  restarted.

+ Check file permissions and ownership. Try and run perms.sh.