[Rails] Suggestions for a secure rails setup regarding system users, groups and permissions.
Howdy. After much experimentation with Capistrano, my deploy.rb file
seems to be working without problems, but I would like to verify what
is recommended in regard to users, groups and permissions. I run
Rails with Apache, Passenger, ImageMagick, Thinking Sphinx, and of
course, deploy with Capistrano. Quite a bit of detail and text
follow, so thanks for bearing with me.
My system's users:
root # login disabled. I don't do much with this directly
main # I use this account for day to day system maintenance, to
install system software, packages, gems, etc
deployer # I use this to deploy the webapp & also run it. The
deployer user is also a member of the www-data group and has no
sudoer powers.
Rails app directory: Set setgid on my rails app directory so that all
files & directories created and uploaded by deployer are automatically
set to the www-data group.
Here are a few permissions from some random files in my app directory:
log files in the rails log dir- owner: rw, group: r, others: r
application_controller- owner: rw, group: rw, other: r
environment.rb (contains mailer password!)- owner: rw, group: rw,
other: r
I’m thinking I should do a deep dive and have capistrano further
restrict some of these permissions near the end of the deploy process.
For example, I probably wouldn’t want environment.rb read by other
users, since it contains a password. Do you folks have any general
best permission practices for the assorted app files (environment,
views, logs, etc)?
As I mentioned previously my setup currently works, but I'm just not
sure if it's as secure as it could be. In the event that my app has a
security flaw, I don't want a malicious user messing with my server's
files, logs, and so on. I'm also thinking about taking a bigger step
regarding the account which actually runs the webapp...
I’ve heard that it’s recommended to create another user separate from
the deploy user (giving me a total of three users: main, deployer and
myapp). However, I'm not entirely clear if that's necessary when the
deploy user is already separate from the main user. I’m thinking that
by creating a dedicated user in this instance, I could, for example,
set tighter permissions on files that the webapp user should never
change. e.g., application_controller could be owner: read, group:
read, others: nothing
I'm guessing that if I create a dedicated myapp user, I would likewise
need to enable sudo in deploy.rb and give deployer sudo permissions so
that it can change file ownership and groups as necessary. In doing
that I suspect I'd also want to restrict deployer's sudo via visudo:
deployer hostname=/usr/bin/touch, /bin/chown, /bin/chgrp, /bin/
ln, /bin/chmod #Adds deployer account to sudoers, but restricts
sudo commands to just those listed. Am I missing any other necessary
sudo-specific commands here?
I think I'd also need to add some more tasks that set the user
accordingly before update_code and after update_code, right?
such as...
before -
task :deployer_takes_control do # required so the deploy user can
modify files from deploy to deploy
sudo "chown -R #{deploy_user}:#{webapp_group} #{release_path}"
end
after-
task :webapp_takes_control do # done with the deploy. returns
things to normal so that myapp user owns the files
sudo "chown -R #{webapp_user}:#{webapp_group} #{release_path}"
end
Lastly, I'm not entirely clear on what the benefits of this are, but
I've also seen a few recommendations to create a custom group for the
webapp too. That is, instead of using the www-data group for my app
directory and its files, I should create a new group ('webapp' or
something) and set my all my app files and folders to this group. I
would then make the apache user a member of the webapp group so it
can read & write as necessary. Is this advice recommended?
As you can see I’m trying to decide if I should just make a few
permission tweaks or go further and do those tweaks, but also set up
the dedicated webapp user and maybe a custom group. If you have any
comments or suggestions for these things or any other suggestions, I’d
love to hear them.
Thanks!
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
[Rails] Re: api.rubyonrails.org site is taken over by a domain squatter
> Pointless remark? Ha. Cant this be avoided for the second time if not for > the first time? > I dont still believe this it could happen to ROR. it's not the freaking rails framework man. it's the domain name registrar. On Apr 21, 7:39 am, Amala Singh wrote: > Pointless remark? Ha. Cant this be avoided for the second time if not for > the first time? > I dont still believe this it could happen to ROR. > > On 21 April 2010 15:26, Peter De Berdt wrote: > > > > > > > On 21 Apr 2010, at 14:56, Amala Singh wrote: > > > This is a sign of ROR losing credibility. It is such a shame that it has > > happened to > > a wonderful innovation. Why they are going for RoR3 and so on, if they > > cannot > > maintain the existing things better? > > > What a pointless remark. 37signals paid the renewal of the domain well > > beforehand, their registrar screwed up again. That's hardly their fault and > > has nothing to do with 37signal's infrastructure. It's not the first major > > site to have this problem btw, can happen to everyone. > > > Best regards > > > Peter De Berdt > > > -- > > You received this message because you are subscribed to the Google Groups > > "Ruby on Rails: Talk" group. > > To post to this group, send email to rubyonrails-t...@googlegroups.com. > > To unsubscribe from this group, send email to > > rubyonrails-talk+unsubscr...@googlegroups.com > > . > > For more options, visit this group at > >http://groups.google.com/group/rubyonrails-talk?hl=en. > > -- > -- > Nandri(Thanks in Tamil), > Amala Singh > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-t...@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscr...@googlegroups.com. > For more options, visit this group > athttp://groups.google.com/group/rubyonrails-talk?hl=en. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
[Rails] Re: api.rubyonrails.org site is taken over by a domain squatter
API doesn't work with .com On Apr 20, 3:12 pm, jhaagmans wrote: > You can use rubyonrails.com now. > > On Apr 20, 10:11 pm, dan wrote: > > > is there a direct ip for ruby rails site? > > > -- > > You received this message because you are subscribed to the Google Groups > > "Ruby on Rails: Talk" group. > > To post to this group, send email to rubyonrails-t...@googlegroups.com. > > To unsubscribe from this group, send email to > > rubyonrails-talk+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/rubyonrails-talk?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-t...@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscr...@googlegroups.com. > For more options, visit this group > athttp://groups.google.com/group/rubyonrails-talk?hl=en. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
[Rails] Re: ActiveRecord Comparison Bug?
Hi Fred, Thank you for the response! What you said made sense. thanks for the explanation. However, looking at the last criteria of the == implementation, we can see why something like what i mentioned would fail: let's say i have an 2 AR objects: > old = Something.find(1) => # then i create a new object: > new = Something.new => # > new.id = 1 # something like this is possible, how or why is another story... > new => # now do: > new == old => true > old == new => false == method should be commutative, right? appreciate any comments! -Moo On Apr 10, 10:52 am, Frederick Cheung wrote: > On Apr 10, 5:50 pm, Moo wrote:> Anyone has any thoughts > on this please? > > Basically the rationale is that == should mean 'do these objects > correspond to the same database row ?' > > The reason why unsaved records are special cased is that two unsaved > record would have equal id (nil in both cases) but if you saved them > you would end up with 2 distinct rows in your database. > > I'm not sure why you're getting new ==old not being the same as old > == new. They should both be false (and are on my machine) > > Fred > > > On Apr 8, 5:29 pm, Moo wrote: > > > > Hi Everyone, > > > > I'm running into a problem with theActiveRecord::Base "==" method > > > defined here (it's 2.3.2, but it looks the same in older versions > > > too): > > > > # File rails-2.3.2/activerecord/lib/active_record/base.rb, line > > > 2816 > > > 2816: def ==(comparison_object) > > > 2817: comparison_object.equal?(self) || > > > 2818: (comparison_object.instance_of?(self.class) && > > > 2819: comparison_object.id == id && > > > 2820: !comparison_object.new_record?) > > > 2821: end > > > > Because of the last criteria (!comparison_object.new_record?), > > > something like this happens... say i have a new record and an existing > > > record (different objects) and compare them: > > > > > new == old > > > => true > > > > old == new > > > > => false > > > > If this is intentional, can someone please explain why this is? > > > > Also what is the rational of only comparing the ID and not the all the > > > values too and why does it matter if it's a new record or not? > > > > Thank you! > > > -Moo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~--~~~~--~~--~--~---
[Rails] Re: ActiveRecord Comparison Bug?
Anyone has any thoughts on this please? On Apr 8, 5:29 pm, Moo wrote: > Hi Everyone, > > I'm running into a problem with the ActiveRecord::Base "==" method > defined here (it's 2.3.2, but it looks the same in older versions > too): > > # File rails-2.3.2/activerecord/lib/active_record/base.rb, line > 2816 > 2816: def ==(comparison_object) > 2817: comparison_object.equal?(self) || > 2818: (comparison_object.instance_of?(self.class) && > 2819: comparison_object.id == id && > 2820: !comparison_object.new_record?) > 2821: end > > Because of the last criteria (!comparison_object.new_record?), > something like this happens... say i have a new record and an existing > record (different objects) and compare them: > > > new == old > => true > > old == new > > => false > > If this is intentional, can someone please explain why this is? > > Also what is the rational of only comparing the ID and not the all the > values too and why does it matter if it's a new record or not? > > Thank you! > -Moo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~--~~~~--~~--~--~---
[Rails] ActiveRecord Comparison Bug?
Hi Everyone, I'm running into a problem with the ActiveRecord::Base "==" method defined here (it's 2.3.2, but it looks the same in older versions too): # File rails-2.3.2/activerecord/lib/active_record/base.rb, line 2816 2816: def ==(comparison_object) 2817: comparison_object.equal?(self) || 2818: (comparison_object.instance_of?(self.class) && 2819: comparison_object.id == id && 2820: !comparison_object.new_record?) 2821: end Because of the last criteria (!comparison_object.new_record?), something like this happens... say i have a new record and an existing record (different objects) and compare them: > new == old => true > old == new => false If this is intentional, can someone please explain why this is? Also what is the rational of only comparing the ID and not the all the values too and why does it matter if it's a new record or not? Thank you! -Moo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~--~~~~--~~--~--~---
