Rob, I think passwordless sudo rights on a production box are a bad idea, personally. It's not such a horrible thing to require a password; you can mitigate the pain somewhat by forcing Capistrano to prompt you for it right away, instead of at the moment it is first needed:
cap -p -- deploy The -p switch allows the password to be specified on the command line, which is not a good idea, but if you follow it with -- then cap will prompt you for the password immediately. - Jamis On Feb 16, 2007, at 9:13 PM, Rob Sanheim wrote: > > How does everyone handle security so they can do one step deploys? > For instance, right now the user we use for our deployments doesn't > have password-less sudo rights, so I still have to enter a password > for the mongrel restart. When I'm deploying many times a day (for > example - to our staging server), I'd like to just be able to do 'cap > deploy' and walk away, or even script it to cap deploy on any checkins > that don't break the build. > > Is there a good 'secure' way to do this? I was thinking of setting a > user who could only login via ssh key auth, who would have > password-less sudo rights, and maybe locking down that user to only be > able to do svn tasks and mongrel tasks...I'm not sure how to do the > last part of that, though. Maybe I'm worrying about this too much and > I should just setup a strong key and give the user wide open sudo > rights? > > any ideas? thanks, > Rob > > > --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
