Chef - Switch user and run package installations - ruby-on-rails

I have a server that can only SSH using a non-admin username. I also have the root username and password for this server. I want to install some packages by bootstrapping this node. Is there a way to bootstrap this server and run the installations switching to root?
I ran the command,
knife bootstrap [NODE_IP] --ssh-user [NON-ROOT-USERNAME] --ssh-password [NON-ROOT-PASSWORD] --sudo --use-sudo-password --node-name [NODE_NAME] --run-list 'recipe[bootstrap_test]'

You would need user with sudo access to install packages which is different from running installations using root. Give the non-admin user sudo access in sudoers file. you can configure sudo access using command visudo.
Also see this thread

Related

Installing Informix CSDK in an Ubuntu Docker container

I'm trying to install ibm.csdk.4.50.FC3.LNX in a Docker container based on Ubuntu 18.
I run in the container the installation file as follows:
root#mycontainer:/usr/src/ibm.csdk.4.50.FC3.LNX# ./installclientsdk -i console
But I get this error:
One or more prerequisite system libraries are not installed on your
computer. Install libdl.so.2, libcrypt.so.1, libpam.so.0,
libstdc++.so.6, libm.so.6, libgcc_s.so.1, libc.so.6, libncurses.so.5
and then restart the IBM Informix installation program.
The installation cannot succeed until the minimum requirements are
met. For more information about the prerequisites, see your
Installation Guide or check with your System Administrator.
However those files are already in the container in the following paths:
/lib/x86_64-linux-gnu/libdl.so.2
/lib/x86_64-linux-gnu/libcrypt.so.1
/lib/x86_64-linux-gnu/libpam.so.0
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
/lib/x86_64-linux-gnu/libm.so.6
/lib/x86_64-linux-gnu/libgcc_s.so.1
/lib/x86_64-linux-gnu/libc.so.6
/lib/x86_64-linux-gnu/libncurses.so.5
How can I install it?
Running apt install unixodbc-dev seems fixing.
You might want to install also unixodbc
We have similar issue where we are running shell script which runs dbaccess inside the docker container. but as we run the docker as root user it is trying to use root user to connect to the informix db server. is there a way we can configure user name and password for dbaccess to use the configured userId instead of root.

Google Cloud bitnami wordpress installation permissions

I have setup an installation of Bitnami Wordpress Multisite in google cloud. I have also setup the SSH, and I am able to connect through SSH, but I want to go to the wordpress installation and edit files / upload plugins / edit permissions. Any idea of how I am able to do that. I followed bitnami's guide but it still does not allow me.
The cloud image of Bitnami WordPress Multisite is already configured with the right permissions to allow you install or upload plugins, edit any file, etc using the WordPress administration panel.
However, if you are using an old version of WordPress you may find some permissions problems. If it is your case, you can try the following workaround:
Open /opt/bitnami/apps/wordpress/htdocs/wp-config.php
Look for define('FS_METHOD', 'ftptext');
Replace it with define('FS_METHOD', 'direct');
Change the permissions of /opt/bitnami/apps/wordpress/htdocs to allow the server user (daemon) to make the modifications. You can do that by executing sudo chown -R daemon /opt/bitnami/apps/wordpress/htdocs
Go to the WordPress admin panel and check you can perform the operation you want.
Hope it helps.
For security reasons, WordPress files are not editable from the
WordPress application itself. We would suggest using an FTP client to
edit the files remotely.
Another option is to change the permissions to be able to edit from
the WordPress application temporarily. Note that this configuration is
not secure so please revert it after editing the files temporarily:
sudo chown daemon:daemon /opt/bitnami/apps/wordpress/htdocs/
Afterwards revert the changes to stay secure..
For /wp-content folder
sudo chown -R bitnami:daemon /opt/bitnami/apps/wordpress/htdocs/wp-content
sudo chmod -R g+w /opt/bitnami/apps/wordpress/htdocs/wp-content
https://docs.bitnami.com/google/apps/wordpress/

Allowing Permissions for Rails on Bitnami Google Compute Engine

I am attempting to test the sample app provided by Bitnami in the Ruby Stack, I have placed the files in the htdocs folder:
and access the url http://(IP)/sample. The result is that the url is active but I do not have permission to access anything present as:
How can I alter the permissions for this sample app so I can access?
Bitnami developer here. If you want to deploy your application using Passenger, you can follow the next guide.
https://wiki.bitnami.com/Infrastructure_Stacks/BitNami_Ruby_Stack?highlight=ruby+stack#How_can_I_deploy_my_Rails_application.3f
Apart from that, if you want to deploy a new page using Apache, you have to give read privileges to Apache. You can run the following commands:
$ sudo chown -R bitnami:daemon /opt/bitnami/apache2/htdocs
$ sudo chmod -R g+r /opt/bitnami/apache2/htdocs
I hope this helps.

Non-privileged, non-root, user to start or restart webserver server such as nginx without root or sudo

I'm using capistrano to deploy a rails web app. I want to give the deploy user on the webserver as few privileges as I can. I was able to do everything I need to do as a non-privileged user except restart the webserver.
I'm doing this on an ubuntu server, but this problem is not specific to my use case (rails, capistrano, deployment), and I've seen a lot of approaches to this problem that seem to involve poor security practices. Wondering whether others can vet my solution and advise whether it's secure?
First, not necessary, but I have no idea why /etc/init.d/nginx would need any (even read) access by other users. If they need to read it, make them become root (by sudo or other means), so I:
chmod 750 /etc/init.d/nginx
Since the ownership is owner root, group root (or can be set such with chown root:root /etc/init.d/nginx) only root, or a user properly sudo'ed, can read, change or run /etc/init.d/nginx, and I'm not going to give my deploy user any such broad rights. Instead, I'm only going to give the deploy user the specific sudo right to run the control script /etc/init.d/nginx. They will not be able to run an editor to edit it, because they will only have the ability to execute that script. That means that if a someone gets access to my box as the deploy user, they can restart and stop, etc, the nginx process, but they cannot do more, like change the script to do lots of other, evil things.
Specifically, I'm doing this:
visudo
visudo is a specific tool used to edit the sudoers file, and you have to have sudoer privileges to access it.
Using visudo, I add:
# Give deploy the right to control nginx
deploy ALL=NOPASSWD: /etc/init.d/nginx
Check the sudo man page, but as I understand this, the first column is the user being given the sudo rights, in this case, “deploy”. The ALL gives deploy access from all types of terminals/logins (for example, over ssh). The end, /etc/init.d/nginx, ONLY gives the deploy user root access to run /etc/init.d/nginx (and in this case, the NOPASSWD means without a password, which I need for an unattended deployment). The deploy user cannot edit the script to make it evil, they would need FULL sudo access to do that. In fact, no one can unless they have root access, in which case there's a bigger problem. (I tested that the user deploy could not edit the script after doing this, and so should you!)
What do you folks think? Does this work? Are there better ways to do this? My question is similar to this and this, but provides more explanation than I found there, sorry if it's too duplicative, if so, I'll delete it, though I'm also asking for different approaches.
The best practice is to use /etc/sudoers.d/myuser
The /etc/sudoers.d/ folder can contain multiple files that allow users to call stuff using sudo without being root.
The file usually contains a user and a list of commands that the user can run without having to specify a password. Such as
sudo service nginx restart
Note that we are running the command using sudo. Without the sudo the sudoers.d/myuser file will never be used.
An example of such a file is
myuser ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart
This will allow the myuser user to call all start, stop and restart for the nginx service.
You could add another line with another service or continue to append them to the comma separated list, for more items to control.
Also make shure you have run the command below to secure things
chmod 0440 /etc/sudoers.d/myuser
This is also the way I start and stop services my own created upstart scripts that live in /etc/init
It can be worth checking that out if you want to be able to run your own services easily.
Instructions:
In all commands, replace myuser with the name of your user that you want to use to start, restart, and stop nginx without sudo.
Open sudoers file for your user:
$ sudo visudo -f /etc/sudoers.d/myuser
Editor will open. There you paste the following line:
$ myusername ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart
Save by hitting ctrl+o. It will ask where you want to save, simply press enter to confirm the default. Then exit out of the editor with ctrl+x.

Reloading nginx config from within a rails app

I have a multi-app system running on a centOS box, that consists of our main app and a deployer app. when a client wants a new instance of our app, they use our deployer, fill in some info and the new install is created on our server. the issue i am having is that i can't get nginx to reload it's config file automatically. so after the deploy when visiting the new app we receive a 404 until i reload manually.
I've tried a few different ways including chmod /opt/nginx/sbin/nginx to 777, chmod the install script and deployer app to 777,
the script goes like this:
#create install directory -- works correctly
#copy files over -- works correctly
#run install script
##-- and then at this point i've tried multiple lines, including:
system("nginx -s reload") ## this works manually
system("/etc/init.d/nginx reload") ## this works manually
i've followed directions here: Restart nginx without sudo? to create a script to run without a sudo password and then tried this:
system("sudo /var/www/vhosts/deployer/lib/nginx_reload")
nothing seems to work, i'm assuming this is a permissions error, but maybe i'm wrong, if anyone could point me in any direction, that would be very helpful since i've been trying to figure this out for a few days too long and i'm fresh out of new ideas
sudo /etc/init.d/nginx reload

Resources