Creating a Dedicated User Account on the Operating System to Run Confluence
A dedicated user should be created to run Confluence, because Confluence runs as the user it is invoked under and therefore can potentially be abused.
This is optional if you're evaluating Confluence, but is required for production installations. If you used the Confluence installer on Linux, the installer created this user automatically.
Create a dedicated user account
Linux
If your operating system is *nix-based (for example, Linux or Solaris), type the following in a console:
$ sudo /usr/sbin/useradd --create-home --comment "Account for running Confluence" --shell /bin/bash confluence
Windows
If your operating system is Windows create the dedicated user account by typing the following at the Windows command line:
> net user confluence mypassword /add /comment:"Account for running Confluence"
(This creates a user account with user name 'confluence' and password 'mypassword'. You should choose your own password.)
Alternatively, open the Windows 'Computer Management' console to add your 'confluence' user with its own password.
Next, Use the Windows 'Computer Management' console to remove the 'confluence' user's membership of all unnecessary Windows groups, such as the default 'Users' group.
If Windows is operating under Microsoft Active Directory, ask your Active Directory administrator to create your 'confluence' account (with no prior privileges).
Allow the account to write to specific Confluence directories
Ensure that the following directories can be read and written to by this dedicated user account (e.g. 'confluence'):
- The sub-directories of the Confluence Installation Directory:
logs
temp
work
- The entire Confluence Home directory.
Set who can access Confluence directories in Linux
To achieve this in Linux run the following commands:
sudo chown -R confluence <confluence-home-folder>/
sudo chown -R confluence <confluence-install-folder>/logs
sudo chown -R confluence <confluence-install-folder>/work
sudo chown -R confluence <confluence-install-folder>/temp
The other install directories should be left as root as those are controlled by the installer and allow for future upgrades:
sudo chmod -R u=rwx,g=rx,o=rx <confluence-install-folder>
sudo chmod -R u=rwx,g=rx,o=rx <confluence-home-folder>
See also Best Practices for Configuring Confluence Security.
Confirm who can access Confluence directories in Windows
After installing Confluence you should check the permissions assigned to the installation directory, and make sure there are no unnecessary permissions being inherited. You can also repeat this process for the home directory.
To check the permissions for the install directory:
- Right click your installation directory and select Properties.
- In the Security tab, select Advanced.
- Select Disable inheritance, and when prompted choose Convert inherited permissions into explicit permissions on this object.
- Select OK.
- Select any group or user account that should not have access and choose Remove.
We recommend limiting access to only the dedicated 'confluence' user and system administrator groups. - Select OK to apply changes to your install directory (and all sub-directories).
To confirm your changes, log in to Windows with a normal user account, and check that you can't access the contents of the install directory.