Capistrano + Thin + Nginx与用户不允许sudo howto吗? [英] Capistrano + thin + nginx with user not allowed to sudo howto?
问题描述
我有一个这样的场景,我想使用capistrano将我的ruby部署在rails应用程序上:
I have a scenario like this which I want to use capistrano to deploy my ruby on rails application:
- 该Web应用程序位于精简集群上,其配置文件存储在/etc/thin下. /etc/init.d/thin中也有一个初始化脚本,因此只要我的服务器需要重启,它就会自动启动
- nginx的执行方式也相同(与init脚本守护程序一样)
- 为了确保万一有人入侵了我的Web服务器,我不希望他们做得太可怕了,因此不允许Web用户使用sudo.
- Thin和nginx都以网络用户身份运行以加强安全性
现在,当我需要进行部署时,我需要将文件安装在/home/webuser/railsapps/helloworld下,并且我需要cap脚本随后重新启动我的瘦客户机.我想让所有文件都归Web用户所有,因此Cap脚本主要用户正以Web用户身份运行.现在,当我想重新启动精简守护程序时出现了问题,因为webuser不能sudo.
Now when I need to do the deployment, I would need the files to be installed under /home/webuser/railsapps/helloworld, and I need the cap script restart my thin afterwards. I want to keep all files owned by the webuser, so the cap script primary user is running as webuser. Now the problem arise when I want to restart the thin daemon because webuser can't sudo.
我正在考虑是否有可能调用两个单独的会话-webuser进行文件部署,然后调用特殊的sudoer来重新启动守护程序.谁能给我一个示例脚本吗?
I am thinking if its possible to invoke two separate sessions- webuser for file deployment, and then a special sudoer to restart the daemon. Can anyone give me a sample script on this?
推荐答案
这可能不是您想要的,但实际上您可以在sudoers文件中执行以下操作:
This might not be what you want, but you can actually do something like this in your sudoers file:
someuser ALL=NOPASSWD: /etc/init.d/apache2
允许某些用户运行/etc/init.d/apache2
that lets someuser run /etc/init.d/apache2
如果您尝试做其他事情:
If you try to do something else:
$ sudo ls
[sudo] password for someuser:
Sorry, user someuser is not allowed to execute '/bin/ls' as root on ...
这篇关于Capistrano + Thin + Nginx与用户不允许sudo howto吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
