Suggestions for a secure rails setup regarding system users, groups and permissions

Howdy. After much experimentation with Capistrano, my deploy.rb file
seems to be working without problems, but I would like to verify what
is recommended in regard to users, groups and permissions. I run
Rails with Apache, Passenger, ImageMagick, Thinking Sphinx, and of
course, deploy with Capistrano. Quite a bit of detail and text
follow, so thanks for bearing with me.

My system’s users:
root # login disabled. I don’t do much with this directly
main # I use this account for day to day system maintenance, to
install system software, packages, gems, etc
deployer # I use this to deploy the webapp & also run it. The
deployer user is also a member of the www-data group and has no
sudoer powers.

Rails app directory: Set setgid on my rails app directory so that all
files & directories created and uploaded by deployer are automatically
set to the www-data group.

Here are a few permissions from some random files in my app directory:
log files in the rails log dir- owner: rw, group: r, others: r
application_controller- owner: rw, group: rw, other: r
environment.rb (contains mailer password!)- owner: rw, group: rw,
other: r

Im thinking I should do a deep dive and have capistrano further
restrict some of these permissions near the end of the deploy process.
For example, I probably wouldnt want environment.rb read by other
users, since it contains a password. Do you folks have any general
best permission practices for the assorted app files (environment,
views, logs, etc)?

As I mentioned previously my setup currently works, but I’m just not
sure if it’s as secure as it could be. In the event that my app has a
security flaw, I don’t want a malicious user messing with my server’s
files, logs, and so on. I’m also thinking about taking a bigger step
regarding the account which actually runs the webapp…

Ive heard that its recommended to create another user separate from
the deploy user (giving me a total of three users: main, deployer and
myapp). However, I’m not entirely clear if that’s necessary when the
deploy user is already separate from the main user. Im thinking that
by creating a dedicated user in this instance, I could, for example,
set tighter permissions on files that the webapp user should never
change. e.g., application_controller could be owner: read, group:
read, others: nothing

I’m guessing that if I create a dedicated myapp user, I would likewise
need to enable sudo in deploy.rb and give deployer sudo permissions so
that it can change file ownership and groups as necessary. In doing
that I suspect I’d also want to restrict deployer’s sudo via visudo:

deployer hostname=/usr/bin/touch, /bin/chown, /bin/chgrp, /bin/
ln, /bin/chmod #Adds deployer account to sudoers, but restricts
sudo commands to just those listed. Am I missing any other necessary
sudo-specific commands here?

I think I’d also need to add some more tasks that set the user
accordingly before update_code and after update_code, right?
such as…

before -
task :deployer_takes_control do # required so the deploy user can
modify files from deploy to deploy
sudo “chown -R #{deploy_user}:#{webapp_group} #{release_path}”

task :webapp_takes_control do # done with the deploy. returns
things to normal so that myapp user owns the files
sudo “chown -R #{webapp_user}:#{webapp_group} #{release_path}”

Lastly, I’m not entirely clear on what the benefits of this are, but
I’ve also seen a few recommendations to create a custom group for the
webapp too. That is, instead of using the www-data group for my app
directory and its files, I should create a new group (‘webapp’ or
something) and set my all my app files and folders to this group. I
would then make the apache user a member of the webapp group so it
can read & write as necessary. Is this advice recommended?

As you can see Im trying to decide if I should just make a few
permission tweaks or go further and do those tweaks, but also set up
the dedicated webapp user and maybe a custom group. If you have any
comments or suggestions for these things or any other suggestions, Id
love to hear them.


This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs