Recommendations for 'deploy' user privileges

#What are everyone’s recommendations on setting up a secure ‘deploy’ user?
note: apologies if this has already been covered, i tried searching but couldn’t find anything incredibly specific :anguished:

For my personal purposes I am trying to set up a user that can deploy to other user’s directories, but trying to keep that user as secure as possible and not giving it too many privileges

Here are a few suggestions I seen (all assuming the deploy user has already been created):

1) Most articles/tuts I see locking the account’s password with and then then simply adding the user as a sudoer:

example:

$ passwd -l deploy

then run $ visudo and mimic root’s policy directly below it, like:

root	ALL=(ALL)	ALL
deploy	ALL=(ALL)	ALL

2) Other’s have suggested creating a new ‘deployers’ group, then adding user ‘deploy’ to that group and then give the ‘deployers’ group ownership of whatever directory you are deploying to (while leaving the user owner as is)

example:

$ groupadd deployers
$ usrmod -G deployers deploy

then assuming you had 3 users that you’d deploy to in your /home/ directory
/home/website1, /home/website2, and /home/app1

$ chown -R website1:deployers /home/website1/; chown -R website2:deployers /home/website2/; chown -R app1:deployers /home/app1/;

$ groups deploy
deploy: deploy deployers

$ ls -la /home/

permissions  user       group         directory
drwx--x--x   website1   deployers     /home/website1
drwx--x--x   website2   deployers     /home/website2
drwx--x--x   app1       deployers     /home/app1
drwx------   deploy     deploy        /home/deploy

3) I was personally thinking of the opposite of the #2, and instead adding the ‘deploy’ user to every other user’s group that would be delpoyed to.

example:

$ ls -la /home/

permissions  user      group      directory
drwx--x--x   website1  website1   /home/website1
drwx--x--x   website2  website2   /home/website2
drwx--x--x   app1      app1       /home/app1
drwx------   deploy    deploy     /home/deploy

$ usrmod -a -G website1,website2,app1 deploy

$ groups deploy
deploy : deploy website1 website2 app1

4) capistranorb.com’s article on authorization suggests adding passwordless sudo but not as open as option 1

example:

running $ visudo and then giving the ‘deploy’ user access to specific scripts/services, like:

root	ALL=(ALL)	ALL
deploy ALL=NOPASSWD:/etc/init.d/mysqld, /etc/init.d/apache2

but if this is all they are suggesting then I don’t see how this alone would allow ‘deploy’ user to write to any other user’s directory but his own without doing either #2 or #3

So, what are everyone’s thoughts, successes, failures?

Trellis has a web user and we use a combination of 1, 2 and 3.

So we have a web user that is passwordless (can only use SSH keys). Then we make the web user the owner for the web root directories (and set group to www-data). Finally we add specific services that the user is allowed to use in sudoers. Example: https://github.com/roots/trellis/blob/160fd4ee0ac042de6588e4624a0fdba28055e230/group_vars/all/users.yml#L19-L22

I really really really want to use trellis, but with my current host i believe i’m unfortunately pretty much locked to capistrano, as trellis requires the ability to provision a vanilla ubuntu environment correct?

I have thusfar been totally unsuccessful on a centos/apache multi-user set up in completing a deploy with a special ‘deploy’ user and instead have had to deploy with the user who actually owns the files…

but i haven’t tried setting all user’s directories to be owned by apache, ie:

permissions  user       group     directory
drwx--x--x   website1   apache    /home/website1
drwx--x--x   website2   apache    /home/website2
drwx--x--x   app1       apache    /home/app1
drwx------   deploy     deploy    /home/deploy

and then adding ‘deploy’ to the apache group:

$ usrmod -G apache deploy
$ groups deploy
deploy: deploy apache

but any option requiring groups in my case i believe would require a good deal of set up for every new site that is added…

i really wish i could i could figure out a good way to set up a (secure) ‘deploy’ user that can simply read/write/execute to all user’s directories without messing with groups or allowing the user to be too much of a super user that it could run anything outside of the user’s directory…

is it typical to have issues in a multi-user environment ( for clarification i’m not on shared hosting, i have full root access on a VPS )? i ask because also feel as though i’ve noticed that in nearly all capistrano deployment examples i’ve found in articles/tuts assume you are on a server that is set up to serve only one website in an instance where you’d only be dealing with like two users, root and apache user…

Yeah you can’t use Trellis in your case. I just brought it up as an example to show how a deploy user can be set up.

There aren’t too many requirements for using Capistrano. It just assumes you have a user which owns a “root” directory where you’re deploying a single site too. Capistrano doesn’t really care about any other directories up the tree from that.