Closed btbonval closed 10 years ago
btbonval
commented
10 years ago In previous work, I had a sudo user and a target user. Fabric's with prefix against sudo su - user to switch to the target user, which works as long as the fabric user has sudo privs.
If both the target and sudo user are the same, there can be a quick check for that which basically ignores the with prefix check. This logic would go in a function like def run_as(user, command).
btbonval
commented
10 years ago Actually, by supporting two users (one with sudo, one the django user), we automatically support fabric commands on staging and prod systems. Presently one would need SSH access to the django user to facilitate fab commands directly to staging/prod, which we'd rather not do. Whereas the main devvers do have SSH access to users with sudo on those machines.
btbonval
commented
10 years ago This was an interesting problem, but as we now run on Heroku, it no longer affects the KarmaNote servers. We no longer have deployed servers where the django user security can present a security problem.
Heroku sandboxes all the servers, thankfully.
We need to rethink some of the security design in deployed systems.
Apache, when running
mod_pythonormod_wsgi, will drop user privileges intelligently.Nginx runs as root, but it also drops user privileges as needed. It does not run the software, but rather reverse proxies it from Django.
I think we have no reason to trust
python manage.py runserver. Django isn't an application I would trust with unix-level security.We need sudo for a number of
first_deployactivities. We could do two things: