Reputation: 1645
Capistrano security best practice
The company I work for has been using capistrano for Rails apps deployment. we have app user(e.g. foo_app) created for each web apps, and they all belong to a webapp group with no password sudo privilege:
%webapp ALL=(ALL) NOPASSWD: ALL
in our cap deploy.rb we set a ssh key pair to allow capistrano to ssh to the server as the app user and do all cap tasks.
set :ssh_options, {:username=>'foo_app', :keys => File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')}
It works well but I feel a bit uncomfortable to have a nopasswd sudoer run my app's processes, if the app process gets compromised, the attacker could easily take over entire server.
My question is, is there any way to have a different user that runs my app, preferably without sudo permission? Ideally I want to have a single 'deploy' user to do all capistrano remote tasks:
set :ssh_options, {:username=>'deploy', :keys => File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')}
but I want to have capistrano use a app specific user to run my processes like unicorn, delayed jobs etc.
I have played with :admin_runner, :runner variables but they don't work as I expected. I could change some 3rd party recipes to sudo as foo_app when starting processes like unicorn, delayed jobs etc. but that's a lot of work to keep them updated.
Any ideas?
Thanks!
Upvotes: 2
Views: 1128
Answers (1)
Reputation: 31
First, you may want to consider restricting that nopasswd rule a bit. I'm not sure the specifics of your deploy, but I generally create a user dedicated to deploying, and give him nopasswd rules only for the commands I need to escalate during the deploy - this usually winds up being service restart commands only, possibly specific chown commands as well. If you need more interactive help, hop on #capistrano during US Pacific daytime and I am happy to try to help you out - I just missed you this weekend.
Example of a restricted nopasswd rule, in case you need a reference:
webapp ALL=(root) NOPASSWD:/usr/sbin/sv restart myservice
Resulting ruleset:
webapp@host:~$ sudo -ll
User torrancew may run the following commands on this host:
Sudoers entry:
RunAsUsers: root
Commands:
NOPASSWD: /usr/bin/sv restart myservice
-torrancew
Upvotes: 2
Related Questions
- Best practice security measures for an enterprise Rails app?
- deploying a rails app with capistrano
- Deploying a Rails App to Multiple Servers using Capistrano - Best Practices
- Capistrano Multi-user Deployment
- Using Capistrano to deploy a rails app
- rails dev production deployment
- Rails Production Environment
- Rails security on production server
- Managing security for an open source rails 3 application stored at github
- Is it safe to use Capistrano?