#What are everyone’s recommendations on setting up a secure ‘deploy’ user?
note: apologies if this has already been covered, i tried searching but couldn’t find anything incredibly specific
For my personal purposes I am trying to set up a user that can deploy to other user’s directories, but trying to keep that user as secure as possible and not giving it too many privileges
Here are a few suggestions I seen (all assuming the deploy user has already been created):
1) Most articles/tuts I see locking the account’s password with and then then simply adding the user as a sudoer:
example:
$ passwd -l deploy
then run $ visudo
and mimic root’s policy directly below it, like:
root ALL=(ALL) ALL
deploy ALL=(ALL) ALL
2) Other’s have suggested creating a new ‘deployers’ group, then adding user ‘deploy’ to that group and then give the ‘deployers’ group ownership of whatever directory you are deploying to (while leaving the user owner as is)
example:
$ groupadd deployers
$ usrmod -G deployers deploy
then assuming you had 3 users that you’d deploy to in your /home/ directory
/home/website1, /home/website2, and /home/app1
$ chown -R website1:deployers /home/website1/; chown -R website2:deployers /home/website2/; chown -R app1:deployers /home/app1/;
$ groups deploy
deploy: deploy deployers
$ ls -la /home/
permissions user group directory
drwx--x--x website1 deployers /home/website1
drwx--x--x website2 deployers /home/website2
drwx--x--x app1 deployers /home/app1
drwx------ deploy deploy /home/deploy
3) I was personally thinking of the opposite of the #2, and instead adding the ‘deploy’ user to every other user’s group that would be delpoyed to.
example:
$ ls -la /home/
permissions user group directory
drwx--x--x website1 website1 /home/website1
drwx--x--x website2 website2 /home/website2
drwx--x--x app1 app1 /home/app1
drwx------ deploy deploy /home/deploy
$ usrmod -a -G website1,website2,app1 deploy
$ groups deploy
deploy : deploy website1 website2 app1
4) capistranorb.com’s article on authorization suggests adding passwordless sudo but not as open as option 1
example:
running $ visudo
and then giving the ‘deploy’ user access to specific scripts/services, like:
root ALL=(ALL) ALL
deploy ALL=NOPASSWD:/etc/init.d/mysqld, /etc/init.d/apache2
but if this is all they are suggesting then I don’t see how this alone would allow ‘deploy’ user to write to any other user’s directory but his own without doing either #2 or #3