Capistrano security best practice
79 views
Skip to first unread message
RustedInSeattle
May 27, 2012, 1:25:02 PM5/27/12
to Capistrano
Hi,
The company I work for has been using capistrano for Rails web
apps. we have a app user(e.g. foo_app) created for each web apps, and
they all belong to a webapp group with no password sudo privilege:
%webapp ALL=(ALL) NOPASSWD: ALL
in our cap deploy.rb we set a ssh key pair to allow capistrano to ssh
to the server as the app user and do all cap tasks.
set :ssh_options, {:username=>'foo_app', :keys =>
File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')}
I feel a bit uncomfortable to have a nopasswd sudoer run my app, if
the app process gets compromised, the attacker could easily take over
entire server.
My question is, is there any way to have a different user that runs my
app, preferably without sudo permission? Ideally I want to have a
single 'deploy' user to do all capistrano remote tasks:
set :ssh_options, {:username=>'deploy', :keys =>
File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')}
but I want to have capistrano use a app specific user to run my
processes like unicorn, delayed jobs etc.
I have played with admin_runner, runner variables but they don't work
as I expected. I could change some 3rd party recipes to sudo as
foo_app when starting processes like unicorn, delayed jobs etc. but
that's a lot of work to keep them updated.
Any ideas?
Thanks!
The company I work for has been using capistrano for Rails web
apps. we have a app user(e.g. foo_app) created for each web apps, and
they all belong to a webapp group with no password sudo privilege:
%webapp ALL=(ALL) NOPASSWD: ALL
in our cap deploy.rb we set a ssh key pair to allow capistrano to ssh
to the server as the app user and do all cap tasks.
set :ssh_options, {:username=>'foo_app', :keys =>
File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')}
I feel a bit uncomfortable to have a nopasswd sudoer run my app, if
the app process gets compromised, the attacker could easily take over
entire server.
My question is, is there any way to have a different user that runs my
app, preferably without sudo permission? Ideally I want to have a
single 'deploy' user to do all capistrano remote tasks:
set :ssh_options, {:username=>'deploy', :keys =>
File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')}
but I want to have capistrano use a app specific user to run my
processes like unicorn, delayed jobs etc.
I have played with admin_runner, runner variables but they don't work
as I expected. I could change some 3rd party recipes to sudo as
foo_app when starting processes like unicorn, delayed jobs etc. but
that's a lot of work to keep them updated.
Any ideas?
Thanks!
Matthew Macdonald-Wallace
May 28, 2012, 2:54:56 AM5/28/12
to capis...@googlegroups.com
Its been a while since played with cap, however I'm sure you could write a custom task to sudo to a user and exec commands as that user from cap.
M.
--
* You received this message because you are subscribed to the Google Groups "Capistrano" group.
* To post to this group, send email to capis...@googlegroups.com
* To unsubscribe from this group, send email to capistrano+...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
Reply all
Reply to author
Forward
0 new messages