Suggestions for a secure rails setup regarding system users, groups and permissions.

Howdy. After much experimentation with Capistrano, my deploy.rb file seems to be working without problems, but I would like to verify what is recommended in regard to users, groups and permissions. I run Rails with Apache, Passenger, ImageMagick, Thinking Sphinx, and of course, deploy with Capistrano. Quite a bit of detail and text follow, so thanks for bearing with me.

My system's users: root # login disabled. I don't do much with this directly main # I use this account for day to day system maintenance, to install system software, packages, gems, etc deployer # I use this to deploy the webapp & also run it. The deployer user is also a member of the www-data group and has no sudoer powers.

Rails app directory: Set setgid on my rails app directory so that all files & directories created and uploaded by deployer are automatically set to the www-data group.

Here are a few permissions from some random files in my app directory: log files in the rails log dir- owner: rw, group: r, others: r application_controller- owner: rw, group: rw, other: r environment.rb (contains mailer password!)- owner: rw, group: rw, other: r

I’m thinking I should do a deep dive and have capistrano further restrict some of these permissions near the end of the deploy process. For example, I probably wouldn’t want environment.rb read by other users, since it contains a password. Do you folks have any general best permission practices for the assorted app files (environment, views, logs, etc)?

As I mentioned previously my setup currently works, but I'm just not sure if it's as secure as it could be. In the event that my app has a security flaw, I don't want a malicious user messing with my server's files, logs, and so on. I'm also thinking about taking a bigger step regarding the account which actually runs the webapp...

I’ve heard that it’s recommended to create another user separate from the deploy user (giving me a total of three users: main, deployer and myapp). However, I'm not entirely clear if that's necessary when the deploy user is already separate from the main user. I’m thinking that by creating a dedicated user in this instance, I could, for example, set tighter permissions on files that the webapp user should never change. e.g., application_controller could be owner: read, group: read, others: nothing

I'm guessing that if I create a dedicated myapp user, I would likewise need to enable sudo in deploy.rb and give deployer sudo permissions so that it can change file ownership and groups as necessary. In doing that I suspect I'd also want to restrict deployer's sudo via visudo:

deployer hostname=/usr/bin/touch, /bin/chown, /bin/chgrp, /bin/ ln, /bin/chmod #Adds deployer account to sudoers, but restricts sudo commands to just those listed. Am I missing any other necessary sudo-specific commands here?

I think I'd also need to add some more tasks that set the user accordingly before update_code and after update_code, right? such as...

before -   task :deployer_takes_control do # required so the deploy user can modify files from deploy to deploy     sudo "chown -R #{deploy_user}:#{webapp_group} #{release_path}"   end

after- task :webapp_takes_control do # done with the deploy. returns things to normal so that myapp user owns the files     sudo "chown -R #{webapp_user}:#{webapp_group} #{release_path}"   end

Lastly, I'm not entirely clear on what the benefits of this are, but I've also seen a few recommendations to create a custom group for the webapp too. That is, instead of using the www-data group for my app directory and its files, I should create a new group ('webapp' or something) and set my all my app files and folders to this group. I would then make the apache user a member of the webapp group so it can read & write as necessary. Is this advice recommended?

As you can see I’m trying to decide if I should just make a few permission tweaks or go further and do those tweaks, but also set up the dedicated webapp user and maybe a custom group. If you have any comments or suggestions for these things or any other suggestions, I’d love to hear them.

Thanks!