Suggestions for a secure rails setup regarding system users, groups and permissions.

Howdy. After much experimentation with Capistrano, my deploy.rb file
seems to be working without problems, but I would like to verify what
is recommended in regard to users, groups and permissions. I run
Rails with Apache, Passenger, ImageMagick, Thinking Sphinx, and of
course, deploy with Capistrano. Quite a bit of detail and text
follow, so thanks for bearing with me.

My system's users:
root # login disabled. I don't do much with this directly
main # I use this account for day to day system maintenance, to
install system software, packages, gems, etc
deployer # I use this to deploy the webapp & also run it. The
deployer user is also a member of the www-data group and has no
sudoer powers.

Rails app directory: Set setgid on my rails app directory so that all
files & directories created and uploaded by deployer are automatically
set to the www-data group.

Here are a few permissions from some random files in my app directory:
log files in the rails log dir- owner: rw, group: r, others: r
application_controller- owner: rw, group: rw, other: r
environment.rb (contains mailer password!)- owner: rw, group: rw,
other: r

I’m thinking I should do a deep dive and have capistrano further
restrict some of these permissions near the end of the deploy process.
For example, I probably wouldn’t want environment.rb read by other
users, since it contains a password. Do you folks have any general
best permission practices for the assorted app files (environment,
views, logs, etc)?

As I mentioned previously my setup currently works, but I'm just not
sure if it's as secure as it could be. In the event that my app has a
security flaw, I don't want a malicious user messing with my server's
files, logs, and so on. I'm also thinking about taking a bigger step
regarding the account which actually runs the webapp...

I’ve heard that it’s recommended to create another user separate from
the deploy user (giving me a total of three users: main, deployer and
myapp). However, I'm not entirely clear if that's necessary when the
deploy user is already separate from the main user. I’m thinking that
by creating a dedicated user in this instance, I could, for example,
set tighter permissions on files that the webapp user should never
change. e.g., application_controller could be owner: read, group:
read, others: nothing

I'm guessing that if I create a dedicated myapp user, I would likewise
need to enable sudo in deploy.rb and give deployer sudo permissions so
that it can change file ownership and groups as necessary. In doing
that I suspect I'd also want to restrict deployer's sudo via visudo:

deployer hostname=/usr/bin/touch, /bin/chown, /bin/chgrp, /bin/
ln, /bin/chmod #Adds deployer account to sudoers, but restricts
sudo commands to just those listed. Am I missing any other necessary
sudo-specific commands here?

I think I'd also need to add some more tasks that set the user
accordingly before update_code and after update_code, right?
such as...

before -
  task :deployer_takes_control do # required so the deploy user can
modify files from deploy to deploy
    sudo "chown -R #{deploy_user}:#{webapp_group} #{release_path}"

task :webapp_takes_control do # done with the deploy. returns
things to normal so that myapp user owns the files
    sudo "chown -R #{webapp_user}:#{webapp_group} #{release_path}"

Lastly, I'm not entirely clear on what the benefits of this are, but
I've also seen a few recommendations to create a custom group for the
webapp too. That is, instead of using the www-data group for my app
directory and its files, I should create a new group ('webapp' or
something) and set my all my app files and folders to this group. I
would then make the apache user a member of the webapp group so it
can read & write as necessary. Is this advice recommended?

As you can see I’m trying to decide if I should just make a few
permission tweaks or go further and do those tweaks, but also set up
the dedicated webapp user and maybe a custom group. If you have any
comments or suggestions for these things or any other suggestions, I’d
love to hear them.