Rails - Apr 2011 - Suggestions for a secure rails setup regarding system users, groups and permissions.

Howdy. After much experimentation with Capistrano, my deploy.rb file
seems to be working without problems, but I would like to verify what
is recommended in regard to users, groups and permissions.   I run
Rails with Apache, Passenger, ImageMagick, Thinking Sphinx, and of
course, deploy with Capistrano.  Quite a bit of detail and text
follow,  so thanks for bearing with me.

My system''s users:
root  # login disabled. I don''t do much with this directly
main # I use this account for day to day system maintenance, to
install system software, packages, gems, etc
deployer # I use this to deploy the webapp & also run it.  The
deployer user is also a member of the  www-data group and has no
sudoer powers.

Rails app directory: Set setgid on my rails app directory so that all
files & directories created and uploaded by deployer are automatically
set to the www-data group.

Here are a few permissions from some random files in my app directory:
log files in the  rails log dir-  owner: rw, group: r, others: r
application_controller- owner: rw, group: rw, other: r
environment.rb (contains mailer password!)- owner: rw, group: rw,
other: r

I’m thinking I should do a deep dive and have capistrano further
restrict some of these permissions near the end of the deploy process.
For example, I probably wouldn’t want environment.rb read by other
users, since it contains a password. Do you folks have any general
best permission practices for the assorted app files (environment,
views, logs, etc)?

As I mentioned previously my setup currently works, but I''m just not
sure if it''s  as secure as it could be. In the event that my app has a
security flaw, I don''t want a malicious user messing with my
server''s
files, logs, and so on. I''m also thinking about taking a bigger step
regarding the account which actually runs the webapp...

I’ve heard that it’s recommended to create another user separate from
the deploy user (giving me a total of three users: main, deployer and
myapp).  However, I''m not entirely clear if that''s necessary
when the
deploy user is already separate from the main user. I’m thinking that
by creating a dedicated user in this instance,  I could, for example,
set tighter permissions on files that the webapp user should never
change.  e.g., application_controller could be owner: read, group:
read, others: nothing

I''m guessing that if I create a dedicated myapp user, I would likewise
need to enable sudo in deploy.rb and give deployer sudo permissions so
that it can change file ownership and groups as necessary.  In doing
that I suspect I''d also want to restrict deployer''s sudo via
visudo:

deployer       hostname=/usr/bin/touch, /bin/chown, /bin/chgrp, /bin/
ln, /bin/chmod     #Adds deployer account to sudoers, but restricts
sudo commands to just those listed. Am I missing any other necessary
sudo-specific commands here?

I think I''d also need to add some more tasks that set the user
accordingly before update_code and after update_code, right?
such as...

before -
  task :deployer_takes_control do # required so the deploy user can
modify files from deploy to deploy
    sudo "chown -R #{deploy_user}:#{webapp_group} #{release_path}"
  end

after-
 task :webapp_takes_control do   # done with the deploy. returns
things to normal so that myapp user owns the files
    sudo "chown -R #{webapp_user}:#{webapp_group} #{release_path}"
  end


Lastly,  I''m not entirely clear on what the benefits of this are, but
I''ve also seen a few recommendations to create a custom group for the
webapp too.  That is, instead of using the www-data group for my app
directory and its files, I should create a new group (''webapp''
or
something) and set my all my app files and folders to this group. I
would then make the apache user a member of the  webapp group so it
can read & write as necessary.  Is this advice recommended?


As you can see I’m trying to decide if I should just make a few
permission tweaks or go further and do those tweaks, but also set up
the dedicated webapp user and maybe a custom group. If you have any
comments or suggestions for these things or any other suggestions, I’d
love to hear them.

Thanks!

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.