[LRUG] Setting up SSH for multiple people to deploy an app

Gerhard Lazu gerhard at lazu.co.uk
Wed Apr 17 15:19:46 PDT 2013


1. Never run apps under www-data, that is a system user reserved for web
servers only. Giving www-data write privileges to any of your apps is a
well known easter egg.

2. Create a system user for each app, even if it's PHP or just a static
site. Make that user part of the deploy group.

3. Only allow deploy and admin groups to login via ssh. Root is not in
these groups, neither is www-data. /bin/false or /bin/nologin are just
comfort blankets, don't rely on them when securing sshd.

4. When you want to allow someone to deploy an app, add their ssh key to
that app's authorized_keys file. It's a lot easier
managing access by adding/removing ssh keys vs system users.

5. Most importantly, never pull code when deploying, always push. Never
rely on any third party either, you not being able to
deploy code because your repo host (github / bitbucket) or rubygems are
down is insane.

I wish I had focused on these specifics in my March LRUG talk, would have
made a lot more people efficient and happy. One of these days I will write
a blog post on all the above, it's such a treat to have it all working
consistently and predictably across apps and providers.

In my own infrastructure, I just create a new app config (regardless of the
app type), the provisioner (chef) and CI (jenkins) take care of everything
else.

Gerhard

------------------------------
Twitter <http://twitter.com/#!/gerhardlazu> Github<https://github.com/gerhard>
 Blog <http://gerhardlazu.com/>


On Wed, Apr 17, 2013 at 6:02 PM, Richard Livsey <richard at livsey.org> wrote:

> What's the best way of setting up a server for multiple people to deploy
> to these days?
>
> /var/www/site is currently owned by www-data:www-data
>
> I don't want www-data to be a full user who can SSH in, individual users
> should be able to SSH in as themselves.
>
> I'm thinking of adding all users who can deploy to the 'www-data' group
> and then setting the /var/www/site as 2775 so that it's writable by anyone
> in that group.
>
> That combined with agent forwarding should mean that github deploy keys
> should all work for the individual users too.
>
> Does this make sense, or are there simpler/better ways?
>
> Cheers.
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130417/cee6375c/attachment-0003.html>


More information about the Chat mailing list