Capistrano: user limits on the server

A

alexpogodin2012-10-12 14:58:51

linux

alexpogodin, 2012-10-12 14:58:51

Good day!

We are trying to implement Capistrano to deploy releases to servers. Everything would be fine if not for the righteous paranoia of the administrator. In this regard, the question arises: by what means is it right to limit the set of allowed actions for the user used for deployment. As well as a list of file system resources to which the user should have (or not have) access.

Only 2 options come to mind:
- dancing with ~/.ssh/authorized_keysand command
- AppArmor & SELinux

The experience of colleagues in this regard is interesting.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

Meliborn, 2012-10-12
@Meliborn

Create a new user (developer), give him rights, add to authorized_keys?

P

pomeo, 2012-10-12
@pomeo

my hubot sits separately in a container on a remote machine, he has all the keys to the servers he can access, and he only knows how to run capistrano. Those. it is impossible to get to those servers by hand, to execute something in the shell there too.