Sudo in switchtower and security


#1

I’m attempting to deploy a rails application using switchtower. My IT
guys
are refusing to give me sudo for a user changeable script. I really
can’t
argue with their logic. If I have sudo for a script that I can update,
well,
I can do most anything I want.

They are suggesting I create a cgi that performs the same function.
Since
the cgi would run as www-data (this is a debian system) it would be able
to
kill (or signal) the www-data fcgi processes.

Comments or suggestions?

-Kelly


#2

On one hand I can see where your IT guys are coming from, but on the
other hand I’m not sure how you are expected to deploy and maintain
your application if you can’t restart the server and manage your fcgi
processes, using switchtower or otherwise.

What server are you using? Could you not set up your app in a folder
you have full rights on (under your home folder pehaps), and serve it
up using lighttpd that is also run as your own user. That way you
wouldn’t need to use sudo as everything runs under your own account.

Then all they have to do, assuming you already have apache running, is
set up mod_proxy to point at the lighttpd instance.

On 2/22/06, Kelly F. removed_email_address@domain.invalid wrote:

-Kelly


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Cheers,
Luke R.
www.lukeredpath.co.uk


#3

On Feb 22, 2006, at 12:24 PM, Luke R. wrote:

Then all they have to do, assuming you already have apache running, is
set up mod_proxy to point at the lighttpd instance.

Another option is to put the restart logic in a script, and turn that
script over to your IT department so that you no longer have control
over it. Then, have them give you sudo permissions sufficient to
execute that script.

It’ll require you to write a custom restart task, but it should be a
simple one-liner.

  • Jamis