Howdy. After much experimentation with Capistrano, my deploy.rb file seems to be working without problems, but I would like to verify what is recommended in regard to users, groups and permissions. I run Rails with Apache, Passenger, ImageMagick, Thinking Sphinx, and of course, deploy with Capistrano. Quite a bit of detail and text follow, so thanks for bearing with me.
My system's users: root # login disabled. I don't do much with this directly main # I use this account for day to day system maintenance, to install system software, packages, gems, etc deployer # I use this to deploy the webapp & also run it. The deployer user is also a member of the www-data group and has no sudoer powers.
Rails app directory: Set setgid on my rails app directory so that all files & directories created and uploaded by deployer are automatically set to the www-data group.
Here are a few permissions from some random files in my app directory: log files in the rails log dir- owner: rw, group: r, others: r application_controller- owner: rw, group: rw, other: r environment.rb (contains mailer password!)- owner: rw, group: rw, other: r
I’m thinking I should do a deep dive and have capistrano further restrict some of these permissions near the end of the deploy process. For example, I probably wouldn’t want environment.rb read by other users, since it contains a password. Do you folks have any general best permission practices for the assorted app files (environment, views, logs, etc)?
As I mentioned previously my setup currently works, but I'm just not sure if it's as secure as it could be. In the event that my app has a security flaw, I don't want a malicious user messing with my server's files, logs, and so on. I'm also thinking about taking a bigger step regarding the account which actually runs the webapp...
I’ve heard that it’s recommended to create another user separate from the deploy user (giving me a total of three users: main, deployer and myapp). However, I'm not entirely clear if that's necessary when the deploy user is already separate from the main user. I’m thinking that by creating a dedicated user in this instance, I could, for example, set tighter permissions on files that the webapp user should never change. e.g., application_controller could be owner: read, group: read, others: nothing
I'm guessing that if I create a dedicated myapp user, I would likewise need to enable sudo in deploy.rb and give deployer sudo permissions so that it can change file ownership and groups as necessary. In doing that I suspect I'd also want to restrict deployer's sudo via visudo:
deployer hostname=/usr/bin/touch, /bin/chown, /bin/chgrp, /bin/ ln, /bin/chmod #Adds deployer account to sudoers, but restricts sudo commands to just those listed. Am I missing any other necessary sudo-specific commands here?
I think I'd also need to add some more tasks that set the user accordingly before update_code and after update_code, right? such as...
before - task :deployer_takes_control do # required so the deploy user can modify files from deploy to deploy sudo "chown -R #{deploy_user}:#{webapp_group} #{release_path}" end
after- task :webapp_takes_control do # done with the deploy. returns things to normal so that myapp user owns the files sudo "chown -R #{webapp_user}:#{webapp_group} #{release_path}" end
Lastly, I'm not entirely clear on what the benefits of this are, but I've also seen a few recommendations to create a custom group for the webapp too. That is, instead of using the www-data group for my app directory and its files, I should create a new group ('webapp' or something) and set my all my app files and folders to this group. I would then make the apache user a member of the webapp group so it can read & write as necessary. Is this advice recommended?
As you can see I’m trying to decide if I should just make a few permission tweaks or go further and do those tweaks, but also set up the dedicated webapp user and maybe a custom group. If you have any comments or suggestions for these things or any other suggestions, I’d love to hear them.
Thanks!