Comments (13)
Is the problem that you're being asked for the sudo password when you deploy?
from capistrano-3-rails-template.
I had to add the following to my sudoers
file with sudo EDITOR=vim visudo
:
deployer ALL=NOPASSWD:/bin/ln -nfs /home/deployer/* /etc/nginx/sites-enabled/*
deployer ALL=NOPASSWD:/bin/ln -nfs /home/deployer/* /etc/init.d/*
deployer ALL=NOPASSWD:/etc/init.d/nginx reload
deployer ALL=NOPASSWD:/etc/init.d/unicorn_treescript_production restart
deployer ALL=NOPASSWD:/usr/sbin/service unicorn_treescript_production restart
Where deployer
is the name of my deployment user. This is because Capistrano 3 favors the passwordless sudo method of executing sudo commands.
from capistrano-3-rails-template.
Thanks @christiangenco , I'm working on something to automate setting that up, will keep this issue open until I've got something available
from capistrano-3-rails-template.
Is this how Capistrano 3 wants us to do it? Seems a bit clunky. Also, by not being verbose I'm likely exposing myself to some kind of symbolic link exploit (allowing deployer
to link anything in /home/deployer
with anything in /etc/nginx/sites-enabled
, etc.).
from capistrano-3-rails-template.
At the moment I can't see a better approach, going to experiment this weekend with the minimum permissions we can get away with in the sudoers file while still allowing flexibility of different configs on the Capistrano side.
The only one that bothers me is allowing links to be created to /etc/init.d/
, but since we only allow links to be created, not commands executed, it seems like there's limited damage which could be done?
from capistrano-3-rails-template.
With what permissions are things in /etc/init.d/
executed? Could the deployer
user create a malicious script, make it executable, symlink it into /etc/init.d/
, and gain more privilages than it would have had otherwise?
from capistrano-3-rails-template.
Most scripts in /etc/init.d (because that are executed at startup/shutdown) are run (at least initially) by the root user
On 9 May 2014, at 01:05, Christian Genco [email protected] wrote:
With what permissions are things in /etc/init.d/ executed? Could the deployer user create a malicious script, make it executable, synlink it into /etc/init.d/, and gain more privilages than it would have had otherwise?
—
Reply to this email directly or view it on GitHub.
from capistrano-3-rails-template.
To me the biggest hole is that we want the user to be able to create symlinks such as /etc/init.d/unicorn_something
in /etc/init.d
and we also need them to be able to execute them. That means that in theory if an attacker gained access to the deploy user, they'd be able to symlink something containing arbitrary code which followed the allowed naming convention to /etc/init.d/something
and then execute it with as root with sudo.
That said, if a malicious user has got access to the deploy user in this configuration they can already change anything about the running web app and get database access so I'm not sure how much worse root access really makes it?
from capistrano-3-rails-template.
That's a fair point, and you perfectly echoed my concerns.
What is sudo protection really preventing? Potential leaks in Rails (or whatever middleware you're using) that would allow arbitrary code execution?
from capistrano-3-rails-template.
I don't think there's any way around giving the deployment user a "dangerous" set of permissions. But maybe unicorn does not need to run as the deploy user? At least the dreaded "arbitrary code" would be executed with less privilege.
from capistrano-3-rails-template.
perhaps we just need to leave deploy_user
as unprivileged as it is, and create a newer user just for deploy:setup_config
? in fact, shouldn't that be root
? what do you thinkg @TalkingQuickly?
from capistrano-3-rails-template.
Ooo, I love the idea of setting up as root - that makes a lot of sense, and solves all of these problems.
Is there a downside?
from capistrano-3-rails-template.
For whoever is still following this repo, adding the following line will get rid of the error sudo: no tty present and no askpass program specified
:
put set :pty, true
under set :application, 'APP_NAME'
from capistrano-3-rails-template.
Related Issues (20)
- Don't know how to build task 'deploy:setup_config' HOT 4
- #{fetch(:full_app_name)} isn't working when creating symlinks in deploy.rb HOT 8
- Unicorn socket in /tmp vs. application shared tmp
- cap production deploy:setup_config problem HOT 1
- capistrano maintenance page
- check_revision.cap assumes remote being deployed from is origin
- Error on deploy HOT 3
- Error on reloading nginx HOT 1
- shouldn't database.yml be in the :config_files array? HOT 2
- compile_assets_locally tasks uses sudo HOT 1
- Error, when run cap production deploy:compile_assets_locally HOT 1
- Application folder
- Troubleshooting Zero Downtime Deployment for Unicorn HOT 1
- Choosing application role (web app db)
- Sidekiq dies, no monit recipe HOT 1
- nginx upstream sock path going to 'current_path/tmp' not to '/tmp' HOT 1
- Unicorn restarts don't seem to follow unicorn.bogomips.org/SIGNALS.html instructions HOT 2
- Issue running `bundle exec cap production database:create`
- App Successfully Deployed but not Running When Visiting VPS Address
- logrotate
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capistrano-3-rails-template.