Forum: Rails deployment How to restrict access to my deploy.rb file?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Rémi G. (Guest)
on 2008-11-12 21:11
I would like to restrict the access to the deploy.rb file to prevent any
mods from anybody that could cause major issue in production zone for
instance.

I do know that I can keep the deploy.rb any from the project.  I'd like
to know some real world process for this.

Thank you

Rémi
Jeremy W. (Guest)
on 2008-12-14 21:56
Rémi Gagnon wrote:
> I would like to restrict the access to the deploy.rb file to prevent any
> mods from anybody that could cause major issue in production zone for
> instance.
>
> I do know that I can keep the deploy.rb any from the project.  I'd like
> to know some real world process for this.
>
> Thank you
>
> Rémi

I recommend having the deploy script prompt for passwords (SSH, SVN/Git,
etc) instead of baking them in in plain text. That way the script is
useless without credentials.
Roderick v. (Guest)
on 2008-12-14 23:08
Jeremy Weiskotten wrote:
> Rémi Gagnon wrote:
>> I would like to restrict the access to the deploy.rb file to prevent any
>> mods from anybody that could cause major issue in production zone for
>> instance.
>
> I recommend having the deploy script prompt for passwords (SSH, SVN/Git,
> etc) instead of baking them in in plain text. That way the script is
> useless without credentials.

+1. Additional things that you can undertake:

 * Use SSH keys. The best security model relies on something that you
know (credentials) plus something that you have (private keys).

 * Keep a deploy.example.rb file under source control and set the actual
deploy.rb to ignore. This is not a substitute for prompting passwords!
You can use it to add a layer of obscurity for your repository URL and
server hostnames.

--
Roderick van Domburg
http://www.nedforce.com
This topic is locked and can not be replied to.