On Fri, Feb 16, 2007 at 10:13:04PM -0600, Rob Sanheim wrote: > > How does everyone handle security so they can do one step deploys? > For instance, right now the user we use for our deployments doesn't > have password-less sudo rights, so I still have to enter a password > for the mongrel restart. When I'm deploying many times a day (for > example - to our staging server), I'd like to just be able to do 'cap > deploy' and walk away, or even script it to cap deploy on any checkins > that don't break the build. > > Is there a good 'secure' way to do this? I was thinking of setting a > user who could only login via ssh key auth, who would have > password-less sudo rights, and maybe locking down that user to only be > able to do svn tasks and mongrel tasks...I'm not sure how to do the > last part of that, though. Maybe I'm worrying about this too much and > I should just setup a strong key and give the user wide open sudo > rights?
I'm doing key based SSH login and then I have the following in my sudoers file: %wheel ALL=NOPASSWD:/usr/local/bin/mongrel_rails This allows everybody in the wheel group to run the mongrel_rails command as root without having to supply a password. This coupled with ssh-agent (or a wrapper around it like keychain[1]) allows me to deploy without having to enter any passwords. You can lock this further down by not running mongrel_rails as root but another user, which might be a good idea in case security holes are found in mongrel. [1]: http://www.gentoo.org/proj/en/keychain/ -- Cheers, - Jacob Atzen --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
