Hi,
The company I work for has been using capistrano for Rails web
apps. we have a app user(e.g. foo_app) created for each web apps, and
they all belong to a webapp group with no password sudo privilege:
%webapp ALL=(ALL) NOPASSWD: ALL
in our cap deploy.rb we set a ssh key pair to allow capistrano to ssh
to the server as the app user and do all cap tasks.
set :ssh_options, {:username=>'foo_app', :keys =>
File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')}
I feel a bit uncomfortable to have a nopasswd sudoer run my app, if
the app process gets compromised, the attacker could easily take over
entire server.
My question is, is there any way to have a different user that runs my
app, preferably without sudo permission? Ideally I want to have a
single 'deploy' user to do all capistrano remote tasks:
set :ssh_options, {:username=>'deploy', :keys =>
File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')}
but I want to have capistrano use a app specific user to run my
processes like unicorn, delayed jobs etc.
I have played with admin_runner, runner variables but they don't work
as I expected. I could change some 3rd party recipes to sudo as
foo_app when starting processes like unicorn, delayed jobs etc. but
that's a lot of work to keep them updated.
Any ideas?
Thanks!
--
* You received this message because you are subscribed to the Google Groups
"Capistrano" group.
* To post to this group, send email to [email protected]
* To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/capistrano?hl=en
