普通用户nginx访问不了,非特权非root用户,用于启动或重新启动没有root或sudo的nginx之类的Web服务器服务器...

I'm using capistrano to deploy a rails web app. I want to give the deploy user on the webserver as few privileges as I can. I was able to do everything I need to do as a non-privileged user except restart the webserver.

I'm doing this on an ubuntu server, but this problem is not specific to my use case (rails, capistrano, deployment), and I've seen a lot of approaches to this problem that seem to involve poor security practices. Wondering whether others can vet my solution and advise whether it's secure?

First, not necessary, but I have no idea why /etc/init.d/nginx would need any (even read) access by other users. If they need to read it, make them become root (by sudo or other means), so I:

chmod 750 /etc/init.d/nginx

Since the ownership is owner root, group root (or can be set such with chown root:root /etc/init.d/nginx) only root, or a user properly sudo'ed, can read, change or run /etc/init.d/nginx, and I'm not going to give my deploy user any such broad rights. Instead, I'm only going to give the deploy user the specific sudo right to run the control script /etc/init.d/nginx. They will not be able to run an editor to edit it, because they will only have the ability to execute that script. That means that if a someone gets access to my box as the deploy user, they can restart and stop, etc, the nginx process, but they cannot do more, like change the script to do lots of other, evil things.

Specifically, I'm doing this:

visudo

visudo is a specific tool used to edit the sudoers file, and you have to have sudoer privileges to access it.

Using visudo, I add:

# Give deploy the right to control nginx

deploy ALL=NOPASSWD: /etc/init.d/nginx

Check the sudo man page, but as I understand this, the first column is the user being given the sudo rights, in this case, “deploy”. The ALL gives deploy access from all types of terminals/logins (for example, over ssh). The end, /etc/init.d/nginx, ONLY gives the deploy user root access to run /etc/init.d/nginx (and in this case, the NOPASSWD means without a password, which I need for an unattended deployment). The deploy user cannot edit the script to make it evil, they would need FULL sudo access to do that. In fact, no one can unless they have root access, in which case there's a bigger problem. (I tested that the user deploy could not edit the script after doing this, and so should you!)

What do you guys think? Does this work? Are there better ways to do this? My question is similar to this and this, but provides more explanation than I found there, sorry if it's too duplicative, if so, I'll delete it, though I'm also asking for different approaches.

解决方案

The best practice is to use /etc/sudoers.d/myuser

The /etc/sudoers.d/ folder can contain multiple files that allow users to call stuff using sudo without being root.

The file usually contains a user and a list of commands that the user can run without having to specify a password. Such as

sudo service nginx restart

Note that we are running the command using sudo. Without the sudo the sudoers.d/myuser file will never be used.

An example of such a file is

myuser ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart

This will allow the myuser user to call all start, stop and restart for the nginx service.

You could add another line with another service or continue to append them to the comma separated list, for more items to control.

Also make shure you have run the command below to secure things

chmod 0440 /etc/sudoers.d/myuser

This is also the way I start and stop services my own created upstart scripts that live in /etc/init

It can be worth checking that out if you want to be able to run your own services easily.

Instructions:

In all commands, replace myuser with the name of your user that you want to use to start, restart, and stop nginx without sudo.

Open sudoers file for your user:

$ sudo visudo -f /etc/sudoers.d/myuser

Editor will open. There you paste the following line:

$ myusername ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart

Save by hitting ctrl+o. It will ask where you want to save, simply press enter to confirm the default. Then exit out of the editor with ctrl+x.

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值