Re: [PHP] security/deployment issue
> Humm.. thanks for the replies. But i have another problem about rsync > again. > > > > When i deploy a project using the rsync the permissions of all home > directory is changed. i tried to use the parameter -p -o -g (preserve > permissions, owner and group): > > > I dont know but the rsync doesnt preserve the permissions and group/owner. > > > Then always after a deploy i need to execute the cmd "chmod 755 user:group > /home/project" . Have someone this problem? > > > Thanks > > > Augusto Morais > That would sugest that you are running PHP as the same user as Apache, instead running it as the user which owns the files (the same user you are using with rsync) would solve this problem. This can be done by running php as a fastcgi application with suexec or using mpm-itk. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/deployment issue
Rsync preserves the UID and GID, not the visible username or visible group name. This means that if the UIDs and GIDs do not match your expected users and groups on the destination server they will match whatever is setup there according to the /etc/passwd or /etc/group files. If there's no match for the UID and GID then it will just display the UID or GID number. Adam. On Fri, Oct 16, 2009 at 1:13 PM, Augusto Flavio wrote: > Humm.. thanks for the replies. But i have another problem about rsync again. > > > > When i deploy a project using the rsync the permissions of all home > directory is changed. i tried to use the parameter -p -o -g (preserve > permissions, owner and group): > > > I dont know but the rsync doesnt preserve the permissions and group/owner. > > > Then always after a deploy i need to execute the cmd "chmod 755 user:group > /home/project" . Have someone this problem? > > > Thanks > > > Augusto Morais > -- Adam Randall http://www.xaren.net AIM: blitz574 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/deployment issue
Humm.. thanks for the replies. But i have another problem about rsync again. When i deploy a project using the rsync the permissions of all home directory is changed. i tried to use the parameter -p -o -g (preserve permissions, owner and group): I dont know but the rsync doesnt preserve the permissions and group/owner. Then always after a deploy i need to execute the cmd "chmod 755 user:group /home/project" . Have someone this problem? Thanks Augusto Morais
Re: [PHP] security/deployment issue
>> Rsync should work fine, but personally I like to see exactly which >> changes are being deployed especially when deploying to production. >> While I realise this recommendation is not Open Source software, I >> have found it to be an excellent piece of software for this task. I >> use Beyond Compare which has the ability to connect over SFTP or SCP >> as well as regular FTP. It allows you to 'diff' the files as you go >> and view exact changes and you can transfer only the changes you want >> or whole files if you choose to. I would not be surprised if an Open >> Source equivalent exists. > > What about SVN? you can do a svn export. Or you can have a working > copy for production too. > Just dont forget to deny access to .svn in your webserver. > Here are directives for Apache: > > > Order allow,deny > Deny from all > > I do exactly this, its handy to be able to check out the latest version of a website, make some changes and commit it again, while having acsess to the complete revision history, from absolutely anywhere. SVN works over HTTPS, so can go straight through most firewalls without anyone noticing and it also does data transmissions (like RSync) which can be a LOT faster than re uploading the whole file with SFTP etc. There are some security issues in a shared hosting environment though, if you use a commit hook to update the web root on commit using a file:/// URL anyone on the server could check out / commit files from the repository. As of right now the only work around that I can think of for this would be to run two apches at the same time, one for SVN, and one for the main HTTP server which is chrooted to block access to the SVN repos and have the non chrooted server revere proxy connections to the chrooted one. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/deployment issue
> Rsync should work fine, but personally I like to see exactly which > changes are being deployed especially when deploying to production. > While I realise this recommendation is not Open Source software, I > have found it to be an excellent piece of software for this task. I > use Beyond Compare which has the ability to connect over SFTP or SCP > as well as regular FTP. It allows you to 'diff' the files as you go > and view exact changes and you can transfer only the changes you want > or whole files if you choose to. I would not be surprised if an Open > Source equivalent exists. What about SVN? you can do a svn export. Or you can have a working copy for production too. Just dont forget to deny access to .svn in your webserver. Here are directives for Apache: Order allow,deny Deny from all -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security/deployment issue
On Mon, Oct 12, 2009 at 4:06 PM, Augusto Flavio wrote: > i have a doubt about my security and deployment methods. Today i manage > several projects and these projects are versioned with subversion. My > environment is something like this: > > 1. The developer make some update in the source code of a project. (from > your IDE, generally netbeans) > 2. The developer commit the modifications to the subversion server after > test it(sure). > 3. The project manager sync the files from the dev server to the prod > server(using rsync). Sounds mostly fine. I assume you have other testing going on before deployment to production, though. > Well, my questions are 2. All about the rsync: > > 1. For each project we have a ssh user that is used to sync the files(source > code) to the prod server. The problem that i see here is that for each > project i need to have a ssh account to sync these files. This is not so > cool because i need to have severals actived ssh accounts in my prod server. > I'm thinking about the root account to do this work. Is this a good > practice? The root account is not a very good idea for this. You could create a 'service' account that is used exclusively for transferring the files to the server. To allow this user access to the various source directories you can use something like ACL's or perhaps even regular UNIX file permissions may work if your needs aren't very complex. > 2. Does have some another way, more better than the rsync for this > deployment issue? Rsync should work fine, but personally I like to see exactly which changes are being deployed especially when deploying to production. While I realise this recommendation is not Open Source software, I have found it to be an excellent piece of software for this task. I use Beyond Compare which has the ability to connect over SFTP or SCP as well as regular FTP. It allows you to 'diff' the files as you go and view exact changes and you can transfer only the changes you want or whole files if you choose to. I would not be surprised if an Open Source equivalent exists. Cheers, James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
