Commit b40ef240 authored by Andrew Lee (李健秋)'s avatar Andrew Lee (李健秋) Committed by Héctor Orón Martínez

Make passenger rubyapp runs as obsapi user.

Passenger's default user is nobody:
 https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_default_user

So that we got Passenger and the RubyApp runs as nobody. However,
according to Debian's SystemGroup usage:
  https://wiki.debian.org/SystemGroups

nogroup (user: nobody): Daemons that need not own any files run as user
nobody and group nogroup. Thus, no files on a system should be owned by
this user or group.

So that we should create a new user call 'obapi' and force passenger app
to run as obs-api instead.

And config files should be readable by that obsapi user but usually not
writable.
Signed-off-by: default avatarAndrew Lee (李健秋) <ajqlee@debian.org>
Signed-off-by: Héctor Orón Martínez's avatarHéctor Orón Martínez <hector.oron@collabora.com>
parent 9032743e
......@@ -26,10 +26,10 @@ case "$1" in
chown -R www-data:www-data /usr/share/obs/api/public
chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log
chown obsapi:www-data /etc/obs/api/config/database.yml
chown obsapi:obsapi /etc/obs/api/config/database.yml
chmod 440 /etc/obs/api/config/database.yml
chown obsapi:www-data /var/log/obs/backend_access.log
chown obsapi:www-data /var/log/obs/production.log
chown obsapi:obsapi /var/log/obs/backend_access.log
chown obsapi:obsapi /var/log/obs/production.log
# Generate Gemfile.lock file.
cd /usr/share/obs/api
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment