Accounts / security tips ?

Discussion in 'Ruby/Rails' started by thbar, Sep 25, 2006.

  1. thbar

    thbar New Member

    Hi!

    I'm willing to learn more about the recommended way(s) to setup the various accounts and rights etc on a LSWS+Rails deployment platform.

    Here's my configuration:
    - ubuntu 6.06 on a dedicated box
    - capistrano 1.2.0 and rails 1.1.6
    - the latest LSWS / free edition is up and running (I'm about to install the LSAPI gem), running as nobody (the default in the LSWS installation), on ports 8088 and 7080 (default)
    - SSH and LSWS admin access is restricted by IP

    I'm using an admin user (= one who sudoes on demand) under capistrano.

    Should I create a custom user instead of nobody ? Should I use suExec ? Is there anything else recommended ?

    Any tips / caveats are most welcome!

    cheers

    Thibaut
    Last edited: Sep 25, 2006
  2. xing

    xing LiteSpeed Staff

    1) Security through minimal configuration possible to reduce human/system errors.

    Remove any and all unused external application, and listeners.

    2) Instead of nobody use a custom user like "lsws" just for ease of management sake. There could be other processes on the system running as nobody.

    3) Use suEXEC. Create a user just for ruby/rails.

    http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:cgi_fcgi_lsapi_php_suexec

    4) Block ANY and ALL administrative urls/links/paths to your general applicatioin via the public port/listener. For example, if your ruby app binds http://toast.com/admin/ to the admin interface, block access to it via context rules or remove /admin/ routing completedly from the rail app.

    Just because the admin panel is password protected doesn't mean it's secure.

    Security is different for everyone so mix and match your personal paranoia with practical solutions. Paranoia is not a bad word when it comes to security. =)
  3. thbar

    thbar New Member

    Hi Xing

    thanks a lot for the whole list, it's really appreciated!

    One last question before I proceed: how would you recommend to setup the access rights of the rails code under that setup ? Should the files be owned by the dedicated rails user you describe ?

    cheers

    Thibaut
  4. mistwang

    mistwang LiteSpeed Staff

    All files can be owned by the rails user or only let a few directories to be owned by rails user to give better security.

    When LSWS start a Rails app in SuEXEC mode, it uses the owner of public folder, so, you can create a user for each of your rails application if you want, and you need to make 'public', 'log', 'tmp' owned by the user you created, other folder can be owned by root or other user as long as it is readable to the rails user. It will give you the best security.
  5. xing

    xing LiteSpeed Staff

    Yes. The easiest way is to create a new user each ruby app. For example, "rblog" if it's a ruby rails blog. Just do chown -R rblog:rblog on the root directory of the rails app. If suEXEC is properly configured, the ruby process will launch as "rblog".
  6. thbar

    thbar New Member

    Perfect. Thanks!

    Thibaut
  7. thbar

    thbar New Member

    Is it fine if I have firewall rules to forbid access to the litespeed admin except for a few trusted IP addresses, and if I have IP restrictions as well under the litespeed admin context ?

    cheers

    Thibaut
  8. thbar

    thbar New Member

    I've also created a new Rails context (same values as the one created by EasyRailsWithSuEXEC, but with URI = '/admin' and IP restrictions, and placed it first in the chain).

    Is that what you meant ?

    thanks!

    Thibaut
  9. mistwang

    mistwang LiteSpeed Staff

    That's fine.

    If you rails application is mounted at URI '/', URI '/admin' probably does not work if you just add it as "Rails" context, you need to add a "static" context with URI "/admin", add access rules, "ErrorDocument 404 /dispatch.lsapi" in "Apache style configruation".
    Anyway, if '/admin' is password protected, you don't have to do that.

Share This Page