Its been a while since played with cap, however I'm sure you could write a custom task to sudo to a user and exec commands as that user from cap.
M. On 27 May 2012 23:10, "RustedInSeattle" <[email protected]> wrote: > Hi, > The company I work for has been using capistrano for Rails web > apps. we have a app user(e.g. foo_app) created for each web apps, and > they all belong to a webapp group with no password sudo privilege: > > %webapp ALL=(ALL) NOPASSWD: ALL > > in our cap deploy.rb we set a ssh key pair to allow capistrano to ssh > to the server as the app user and do all cap tasks. > > set :ssh_options, {:username=>'foo_app', :keys => > File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')} > > I feel a bit uncomfortable to have a nopasswd sudoer run my app, if > the app process gets compromised, the attacker could easily take over > entire server. > > My question is, is there any way to have a different user that runs my > app, preferably without sudo permission? Ideally I want to have a > single 'deploy' user to do all capistrano remote tasks: > > set :ssh_options, {:username=>'deploy', :keys => > File.join(ENV['HOME'],'.ssh', 'id_rsa_deploy')} > > but I want to have capistrano use a app specific user to run my > processes like unicorn, delayed jobs etc. > > I have played with admin_runner, runner variables but they don't work > as I expected. I could change some 3rd party recipes to sudo as > foo_app when starting processes like unicorn, delayed jobs etc. but > that's a lot of work to keep them updated. > > Any ideas? > > Thanks! > > -- > * You received this message because you are subscribed to the Google > Groups "Capistrano" group. > * To post to this group, send email to [email protected] > * To unsubscribe from this group, send email to > [email protected] For more options, visit this > group at http://groups.google.com/group/capistrano?hl=en -- * You received this message because you are subscribed to the Google Groups "Capistrano" group. * To post to this group, send email to [email protected] * To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
