capistrano-secure-permissions 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e824ee671212d702cafa026d37d55f783d4610db
+  data.tar.gz: a259d9b73e71f3bae4600fd0efd1164b0ddd7403
+SHA512:
+  metadata.gz: 475a21e599e5437cf74697e1e9416da8214b8e9c55e3183d21384b8f5c39f92157eae5b6a40f8859bc342b2aab5290fa4066f376e35895682dcf93fe56a12713
+  data.tar.gz: 1c8e39235a16ac2bae7233dfd18e764ac9d9f4f4357578153889a96e68247d8725f14fe0be33ee90fe7ddedd73180870a6e2b007ff6978392d82a3d46d66fe24

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+group :development do
+  gem "rdoc", "~> 4.2.0"
+  gem "bundler", "~> 1.0"
+  gem "jeweler", "~> 2.0.1"
+end

data/Gemfile.lock

@@ -0,0 +1,56 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.3.7)
+    builder (3.2.2)
+    descendants_tracker (0.0.4)
+      thread_safe (~> 0.3, >= 0.3.1)
+    faraday (0.9.1)
+      multipart-post (>= 1.2, < 3)
+    git (1.2.9.1)
+    github_api (0.12.3)
+      addressable (~> 2.3)
+      descendants_tracker (~> 0.0.4)
+      faraday (~> 0.8, < 0.10)
+      hashie (>= 3.3)
+      multi_json (>= 1.7.5, < 2.0)
+      nokogiri (~> 1.6.3)
+      oauth2
+    hashie (3.4.0)
+    highline (1.7.1)
+    jeweler (2.0.1)
+      builder
+      bundler (>= 1.0)
+      git (>= 1.2.5)
+      github_api
+      highline (>= 1.6.15)
+      nokogiri (>= 1.5.10)
+      rake
+      rdoc
+    json (1.8.2)
+    jwt (1.4.1)
+    mini_portile (0.6.2)
+    multi_json (1.11.0)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    oauth2 (1.0.0)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (~> 1.2)
+    rack (1.6.0)
+    rake (10.4.2)
+    rdoc (4.2.0)
+      json (~> 1.4)
+    thread_safe (0.3.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.0)
+  jeweler (~> 2.0.1)
+  rdoc (~> 4.2.0)

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2015 Rune Schjellerup Philosof
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,47 @@
+= Capistrano::Secure Permissions
+
+You should create a user to run the app as. For Phusion Passenger, set the user with PassengerUser and PassengerGroup.
+That user should not own the files or have any other access to them.
+The deploy user should own the files.
+
+````
+set :app_user, 'www-client-app'
+set :web_user, 'www-data' # Defaults to 'www-data'
+````
+
+The `web_user` is the one serving the static files (what apache, nginx, ... is running as).
+
+
+== Installation
+
+Add this line to your application's Gemfile
+
+````
+gem 'capistrano-secure-permissions', :git => 'centic@puppet.centic.dk:repos/centic/capistrano-secure-permissions.git'
+````
+
+
+== Usage
+
+Add this line to your application's Capfile
+
+````
+require 'capistrano/secure-permissions'
+````
+
+
+== Contributing to capistrano-secure-permissions
+
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
+* Fork the project.
+* Start a feature/bugfix branch.
+* Commit and push until you are happy with your contribution.
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+
+== Copyright
+
+Copyright (c) 2015 Rune Schjellerup Philosof. See LICENSE.txt for
+further details.

data/Rakefile

@@ -0,0 +1,36 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://guides.rubygems.org/specification-reference/ for more options
+  gem.name = "capistrano-secure-permissions"
+  gem.homepage = "http://github.com/runephilosof/capistrano-secure-permissions"
+  gem.license = "MIT"
+  gem.summary = %Q{Sets ACL permissions after capistrano deployment}
+  gem.description = %Q{This gem makes it easy to run your app with a user that only has write permissions to the public folder}
+  gem.email = "rune.capistrano-secure-permissions@philosof.dk"
+  gem.authors = ["Rune Schjellerup Philosof"]
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "capistrano-secure-permissions #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/capistrano-secure-permissions.gemspec

@@ -0,0 +1,57 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+# stub: capistrano-secure-permissions 0.1.0 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "capistrano-secure-permissions"
+  s.version = "0.1.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["Rune Schjellerup Philosof"]
+  s.date = "2015-03-19"
+  s.description = "This gem makes it easy to run your app with a user that only has write permissions to the public folder"
+  s.email = "rune.capistrano-secure-permissions@philosof.dk"
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "capistrano-secure-permissions.gemspec",
+    "lib/capistrano/secure-permissions.rb",
+    "lib/capistrano/tasks/secure-permissions.rake",
+    "lib/secure-permissions.rb"
+  ]
+  s.homepage = "http://github.com/runephilosof/capistrano-secure-permissions"
+  s.licenses = ["MIT"]
+  s.rubygems_version = "2.2.2"
+  s.summary = "Sets ACL permissions after capistrano deployment"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 4
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rdoc>, ["~> 4.2.0"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 2.0.1"])
+    else
+      s.add_dependency(%q<rdoc>, ["~> 4.2.0"])
+      s.add_dependency(%q<bundler>, ["~> 1.0"])
+      s.add_dependency(%q<jeweler>, ["~> 2.0.1"])
+    end
+  else
+    s.add_dependency(%q<rdoc>, ["~> 4.2.0"])
+    s.add_dependency(%q<bundler>, ["~> 1.0"])
+    s.add_dependency(%q<jeweler>, ["~> 2.0.1"])
+  end
+end
+

data/lib/capistrano/secure-permissions.rb

@@ -0,0 +1 @@
+load File.expand_path('../tasks/secure-permissions.rake', __FILE__)

data/lib/capistrano/tasks/secure-permissions.rake

@@ -0,0 +1,34 @@
+namespace :deploy do
+  desc 'Secure app with file permissions'
+  task :secure_permissions do
+    on roles(:all) do
+      execute :setfacl, "-m", "u:www-data:x", "#{release_path}", "#{shared_path}", "#{shared_path}/public"
+      execute :setfacl, '--logical', '--recursive', '-m', "u:#{web_user}:rX,d:u:#{web_user}:rX,u:#{app_user}:rwX,d:u:#{app_user}:rwX", "#{release_path}/public"
+      execute :setfacl, '--logical', '--recursive', '-m', "d:u:#{app_user}:rX,u:#{app_user}:rX", "#{release_path}", "#{shared_path}"
+      execute :setfacl, '--logical', '--recursive', '-m', "d:u:#{app_user}:rwX,u:#{app_user}:rwX", "#{release_path}/log", "#{release_path}/tmp"
+    end
+  end
+
+  after 'deploy:updated', 'deploy:secure_permissions'
+end
+
+namespace :secure_permissions do
+  task :validate do
+    on roles(:all) do
+      if fetch(:app_user).nil?
+        error "secure_permissions: app_user is not set"
+        exit 1
+      end
+    end
+  end
+end
+
+Capistrano::DSL.stages.each do |stage|
+  after stage, 'secure_permissions:validate'
+end
+
+namespace :load do
+  task :defaults do
+    set :web_user, 'www-data'
+  end
+end

metadata

@@ -0,0 +1,99 @@
+--- !ruby/object:Gem::Specification
+name: capistrano-secure-permissions
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Rune Schjellerup Philosof
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-03-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: jeweler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+description: This gem makes it easy to run your app with a user that only has write
+  permissions to the public folder
+email: rune.capistrano-secure-permissions@philosof.dk
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.rdoc
+files:
+- ".document"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- capistrano-secure-permissions.gemspec
+- lib/capistrano/secure-permissions.rb
+- lib/capistrano/tasks/secure-permissions.rake
+- lib/secure-permissions.rb
+homepage: http://github.com/runephilosof/capistrano-secure-permissions
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Sets ACL permissions after capistrano deployment
+test_files: []