From 9e38f9c606fc21433dff4b9921c2ff75b8d5b1f3 Mon Sep 17 00:00:00 2001
From: Andre F de Miranda <trixpan@users.noreply.github.com>
Date: Thu, 2 Mar 2017 22:11:14 +1100
Subject: [PATCH] NIFI-3054 - Create all default directories as part of
 maven-assembly             Update Admin Guide with recommended directory
 permissions             Update some minor file permissions

---
 nifi-assembly/pom.xml                         |  5 +-
 nifi-assembly/src/main/assembly/common.xml    | 78 ++++++++++++++++++-
 .../main/asciidoc/administration-guide.adoc   | 21 +++++
 3 files changed, 100 insertions(+), 4 deletions(-)

diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
index a4421ae0cbdc..b83af4340d2d 100755
--- a/nifi-assembly/pom.xml
+++ b/nifi-assembly/pom.xml
@@ -529,6 +529,7 @@ language governing permissions and limitations under the License. -->
                                     <mappings>
                                         <mapping>
                                             <directory>/opt/nifi/nifi-${project.version}</directory>
+                                            <defaultDirmode>0550</defaultDirmode>
                                         </mapping>
                                         <mapping>
                                             <directory>/opt/nifi/nifi-${project.version}</directory>
@@ -550,7 +551,7 @@ language governing permissions and limitations under the License. -->
                                         </mapping>
                                         <mapping>
                                             <directory>/opt/nifi/nifi-${project.version}/bin</directory>
-                                            <filemode>750</filemode>
+                                            <filemode>550</filemode>
                                             <sources>
                                                 <source>
                                                     <location>${project.build.directory}/generated-resources/bin/nifi.sh</location>
@@ -567,6 +568,7 @@ language governing permissions and limitations under the License. -->
                                         <mapping>
                                             <directory>/opt/nifi/nifi-${project.version}/conf</directory>
                                             <configuration>true</configuration>
+                                            <filemode>660</filemode>
                                             <sources>
                                                 <source>
                                                     <location>${project.build.directory}/generated-resources/conf</location>
@@ -583,6 +585,7 @@ language governing permissions and limitations under the License. -->
                                         being those which we want in bootstrap and NOT in lib. -->
                                         <mapping>
                                             <directory>/opt/nifi/nifi-${project.version}/lib</directory>
+                                            <filemode>440</filemode>
                                             <dependency>
                                                 <excludes>
                                                     <exclude>org.bouncycastle:bcprov-jdk15on</exclude>
diff --git a/nifi-assembly/src/main/assembly/common.xml b/nifi-assembly/src/main/assembly/common.xml
index ec26548370f5..d5cc441cdb74 100644
--- a/nifi-assembly/src/main/assembly/common.xml
+++ b/nifi-assembly/src/main/assembly/common.xml
@@ -96,22 +96,94 @@
             <source>./README.md</source>
             <outputDirectory>./</outputDirectory>
             <destName>README</destName>
-            <fileMode>0644</fileMode>
+            <fileMode>0444</fileMode>
             <filtered>true</filtered>
         </file>
         <file>
             <source>./LICENSE</source>
             <outputDirectory>./</outputDirectory>
             <destName>LICENSE</destName>
-            <fileMode>0644</fileMode>
+            <fileMode>0444</fileMode>
             <filtered>true</filtered>
         </file>
         <file>
             <source>./NOTICE</source>
             <outputDirectory>./</outputDirectory>
             <destName>NOTICE</destName>
-            <fileMode>0644</fileMode>
+            <fileMode>0444</fileMode>
             <filtered>true</filtered>
         </file>
     </files>
+    <!-- The following filesets are used to ensure the NIFI_HOME directory
+     contains all directories required to run, allowing NIFI_HOME permissions
+     to be more restrictive.
+
+     Note how all contents are excluded in order to create empty directories -->
+
+    <fileSets>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./content_repository</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./database_repository</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./flowfile_repository</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./logs</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./provenance_repository</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./provenance_repository</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./run</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./state</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>./work</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
+
+    </fileSets>
 </component>
\ No newline at end of file
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index fff0bdd990a7..0e35b791d0e5 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -163,6 +163,27 @@ the web server will REQUIRE certificate based client authentication.
 Now that the User Interface has been secured, we can easily secure Site-to-Site connections and inner-cluster communications, as well. This is
 accomplished by setting the `nifi.remote.input.secure` and `nifi.cluster.protocol.is.secure` properties, respectively, to `true`.
 
+Directory and File Permissions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In order to minimise the likelihood of unauthorised modifications to your NiFi instance, upon installing NiFi, you should ensure the following directory permissions are configured:
+[options="header"]
+|==================================================================================================================================================
+| Directory | Owner | Directory POSIX Permissions | Files POSIX Permissions
+|`$NIFI_HOME/` | `root` | `550` | `550`
+|`$NIFI_HOME/bin` | `root` | `550` | `550`
+|`$NIFI_HOME/conf` | `nifi-user` | `700 | `600`
+|`$NIFI_HOME/content_repository` | `nifi-user` | `700` | `600`
+|`$NIFI_HOME/database_repository` | `nifi-user` | `700` | `600`
+|`$NIFI_HOME/docs` | `root` | `550` | `400`
+|`$NIFI_HOME/flowfile_repository` | `nifi-user` | `700` | `600`
+|`$NIFI_HOME/lib` | `root` | `550` | `400`
+|`$NIFI_HOME/logs` | `nifi-user` | `700 | `N/A`
+|`$NIFI_HOME/provenance_repository` | `nifi-user` | `700` | `600`
+|`$NIFI_HOME/work` | `nifi-user` | `700` | `600`
+|`$NIFI_HOME/state` | `nifi-user` | `700` | `600`
+|`$NIFI_HOME/run` | `nifi-user` | `700` | `600`
+|==================================================================================================================================================
+
 
 TLS Generation Toolkit
 ~~~~~~~~~~~~~~~~~~~~~~