Do not run Rails apps as a user with passwordless sudo
Closed this issue · 1 comments
aredington commented
Motivation
Rack instances and the Passenger spawner run as the deploy user on our currently provisioned instances. The deploy user has passwordless sudo, this represents a significant security hole.
Acceptance Criteria
- No daemon processes run as a user with passwordless sudo.
- Verify processes still as deploy.
- Verify deploy can't sudo by ssh-ing and attempting sudo.
ldenman commented
I qa-ed on ec2 and vagrant.
To Alex's points, I can confirm that no daemons run as a user with passwordless sudo, provision and deployment still works, and deploy can't sudo.