I think that using individual usernames for administering hosts is a great step in the direction of auditability.
Another security best practice is to use accounts that have the minimum necessary access rights as is possible. One part of this is to use different userids to deploy/configure an app than to run it. I typically use app-config and app-run users where app-config is a member of the wheel group and implicitly has sudo powers. The app-run user can only write to the log directory. I have always had to do *some* kind of post-deploy and post- deploy:setup chowning to get exactly what I want. Peter On May 7, 2009, at 8:42 AM, dwhsix wrote: > > I'm having a problem which I think may be related to the ones > mentioned in these other 2 threads: > http://groups.google.com/group/capistrano/browse_thread/thread/707ba587b3848abc > http://groups.google.com/group/capistrano/browse_thread/thread/dff88affd9c73954 > > For compliance purposes, I need to have all access to our production > servers to be through individual usernames, not generic ones like app > and admin. (I should note that I'm using ec2onrails, which is built > on top of capistrano and I've already had to do a few fixes there.) > > I've managed to get things working to where I can do all ssh access > via a specific username--took a little fixing to ec2onrails where some > usernames were hardcoded. > > It looks like code deployment is happening under my ssh username, not > 'app', so then running the app runs into some problems because of file > ownership+protection. > > At the moment I've worked around this by adding my ssh username to the > app and admin (and root) groups. Any recommendations on a better way > to handle this? Maybe I just have to override > Capistrano::Deploy::Strategy#deploy! as suggested in the other thread? > > Thanks, > > dwh > > > --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
