For a long time, on many of my Rails apps, I’ve been letting my Mongrel processes run as the root user. Any sysadmin worth her salt will tell you that this is a bad idea, because any exploits in you web application will give the malicious user root access to your machine, and also any bugs in your application have the potential to destroy all sorts of important data. For example, try adding <% rm_rf ’/’ %> to one of your rails templates and you’ll see what I mean (that’s sarcasm by the way, don’t do it).

So, we need to run those mongrel processes with a user with less privileges. Our mongrel user should be able to read our entire rails application, and only be able to write to those relevant directories, such as logs, cache, sessions, pids and so on.

This security problem was a significant issue for my current client, and so we hired Mike Bailey (the guy who writes the deprec gem), to ensure that deprec has
a system for handling this properly. It’s in the latest deprec release, and here’s how it works.

Deprec 1.7

Deprec has had a whole swathe of small releases in the last couple of weeks. Mike is back from his adventures in india, and busy fixing bugs and adding new features. By the time you read this, the release number might be even bigger, but these instructions on how to apply to old sites will probably still be valid. For new sites, you don’t really have to worry about this stuff.

Before Upgrading

Make sure that your gems are up to date on the server.

Why do you need to do this? Well it turns out that mongrel 1.0.1 came out recently, and at the moment, deprec can’t correctly answer the questions that gem will ask about which version to use when upgrading. If you hit this problem, or want to avoid it, log into your server(s) and run sudo gem update now. You can decide which version of mongrel you want (probably 2 – ruby) and then deprec wont have any troubles.

On an app that’s been around for a while you might also want to run cap cleanup, if you don’t already do this every now and then to remove old releases on the server. This will make the following tasks run much faster.

Applying the New Groups and Permissions

Remember the cap setup task that sets up your initial directory structure for an application? Deprec also adds to that task to ensure that file permissions are correct, and the mongrel cluster set up. This task is re-runnable. It doesn’t hurt to run it as often as you want, although it is pretty slow. By running it with the new deprec release, you can setup the right file permissions to use mongrel as a non-root user.

Please note that the last step performed by the setup task is to create the database. This currently fails, as the database already exists. This bug will get fixed, but it doesn’t matter, just ignore the error.

Roll Out a New Version

To get your app rolled out with the new permissions, run cap deploy, even if it hasn’t changed since the last release.

Consider Updating Your Rails Stack

If you setup your machine with deprec some time ago, as I did, then there will be a few bugs. In particular there was an old bug where correct initialisation scripts for mongrel and apache where not added to the default runlevel, and they didn’t start on launch. To make sure that your system is configured as per the latest deprec, run: cap install_rails_stack. This is also always re-runnable to bring your system up to date.

Summary

So, for upgrading an old server to the latest deprec, my recommendations are:

# first, login to the server and run "sudo gem update" 
cap cleanup
cap setup
cap deploy
cap install_rails_stack
cap restart_apache

For setting up a new server, instructions vary slightly according to your host, but for an Ubuntu 6.0.6 server at slicehost.com, I use the following process:

export HOSTS=your.hostname.com
cap setup_admin_account_as_root
cap setup_ssh_keys
cap install_rails_stack
cap setup
cap deploy_with_migrations
cap restart_apache