ansible: tighten security and run as unprivileged UID #63
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
There was a problem hiding this comment.
I've tested this branch in a local VM :)
I do think we'll need to run some chown -R nginx:nginx commands as cleanup if we make this change in production, though, since there is existing data there that is already owned by "admin". Something like this should work:
chown -R nginx:nginx /opt/chacra/log /opt/binaries /opt/repos /var/log/circus/
Prevent the public SSL certificate from being world-writable.
Prior to this change, we weren't enforcing the .key file permissions with Ansible (we did it by hand). Use Ansible to make sure we're doing this right.
style change only; no functional change.
Ansible sets up some particular paths need to be writable by the UID that runs the chacra app. Make this more explicit in the Ansible name.
Restrict /etc/circus and /etc/circus/circus.ini write permissions to root only.
The only thing that needs to write into this location is Ansible, and that can be done with sudo/root permissions.
This makes nignx.yml more self-contained, so we can move it around. (A future commit will move it to the top of main.yml.) This is code-reorganization only, no functional change.
Prior to this commit, the chacra application would run as the "admin"
UID ( {{ ansible_ssh_user }} ). This account has sudo privileges and it
will be safer to run the application under a UID that cannot sudo.
I've selected the "nginx" UID because it is one that we create
explicitly, so it's guaranteed to be present on both CentOS and Ubuntu.
ktdreyer
force-pushed
the
wip-tighten-security
branch
from
d24639b to
e8a2a90
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There were several files in the application that had looser permissions than required. The first set of commits in this PR tightens these up.
Prior to the changes in this PR, the chacra application would run as the "admin" UID (
{{ ansible_ssh_user }}). This account has sudo privileges, so it will be safer to run the application under a UID that cannot sudo. The final commit in this PR changes the necessary Ansible bits so we run the application as "nginx" instead.