1. Never run apps under www-data, that is a system user reserved for web servers only. Giving www-data write privileges to any of your apps is a well known easter egg.<br>
<br>
2. Create a system user for each app, even if it's PHP or just a static site. Make that user part of the deploy group.<br>
<br>
3. Only allow deploy and admin groups to login via ssh. Root is not in these groups, neither is www-data. /bin/false or /bin/nologin are just comfort blankets, don't rely on them when securing sshd.<br>
<br>
4. When you want to allow someone to deploy an app, add their ssh key to that app's authorized_keys file. It's a lot easier<br>
managing access by adding/removing ssh keys vs system users.<br>
<br>
5. Most importantly, never pull code when deploying, always push. Never rely on any third party either, you not being able to<br>
deploy code because your repo host (github / bitbucket) or rubygems are down is insane.<br>
<br>
I wish I had focused on these specifics in my March LRUG talk, would have made a lot more people efficient and happy. One of these days I will write a blog post on all the above, it's such a treat to have it all working consistently and predictably across apps and providers.<br>
<br>
In my own infrastructure, I just create a new app config (regardless of the app type), the provisioner (chef) and CI (jenkins) take care of everything else.<br><br>Gerhard<br><div><br><hr style="font-family:arial,helvetica,sans-serif">
<font color="#3333ff"><font face="arial, helvetica, sans-serif"><a href="http://twitter.com/#!/gerhardlazu" target="_blank">Twitter</a> <a href="https://github.com/gerhard" target="_blank">Github</a> </font><a href="http://gerhardlazu.com/" style="font-family:arial,helvetica,sans-serif" target="_blank">Blog</a></font></div>
<br><br><div class="gmail_quote">On Wed, Apr 17, 2013 at 6:02 PM, Richard Livsey <span dir="ltr"><<a href="mailto:richard@livsey.org" target="_blank">richard@livsey.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
What's the best way of setting up a server for multiple people to deploy to these days?<br>
<br>
/var/www/site is currently owned by www-data:www-data<br>
<br>
I don't want www-data to be a full user who can SSH in, individual users should be able to SSH in as themselves.<br>
<br>
I'm thinking of adding all users who can deploy to the 'www-data' group and then setting the /var/www/site as 2775 so that it's writable by anyone in that group.<br>
<br>
That combined with agent forwarding should mean that github deploy keys should all work for the individual users too.<br>
<br>
Does this make sense, or are there simpler/better ways?<br>
<br>
Cheers.<br>
_______________________________________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org" target="_blank">Chat@lists.lrug.org</a><br>
<a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" target="_blank">http://lists.lrug.org/listinfo.cgi/chat-lrug.org</a><br>
</blockquote></div><br>