0

I have a Ruby on Rails app and use Capistrano to deploy it to the server.

The deploy user and the user running the app is the same - the default ubuntu user. (this has sudo access: ubuntu ALL=(ALL) NOPASSWD:ALL)

Maybe this setup is a bit insecure, in case there is a flaw in my Rails app that allows access to the system via the ubuntu user?

I was thinking of making these two users:

  1. deploy user: only has sudo access to start/restart nginx on the server. Has SSH access to the server.
  2. railsrunner: no sudo access, and has no SSH access (railsrunner:x:12345:12345::/nonexistent:/usr/sbin/nologin)

Is that a good approach? Is there any advantage to having a deploy user or the railsrunner user or should I just use the ubuntu user? (or something else?)

Zabba
  • 231
  • 2
  • 4
  • 2
    You should make the users you need to accomplish the objectives you want to achieve. As for the default user, you probably should just ignore its existence entirely except when configuring a new instance. – Michael Hampton Oct 02 '18 at 04:19
  • @MichaelHampton: *Is there any advantage to having a deploy user or the railsrunner user or should I just use the ubuntu user? (or something else?)* – Zabba Oct 02 '18 at 19:03

0 Answers0