Letting Others Deploy Safely On Your Rails Machine
Deploying your own applications and sites on Rails Machine is wonderfully easy. But I have just started hosting a pure HTML site for a client and wanted to empower her to update her own site without depending on me. How to do that without opening up the whole server?
The answer is scponly, a shell that “provides access to remote users to read and write local files without providing any remote execution privileges.” It gives you SFTP access to a specific directory — and that’s it. Once it’s set up you can let people SFTP to your server, from the command line or with a graphical client like Cyberduck, and sleep soundly at night.
Once it’s set up.
Setting up Scponly
I’ll spare you the Homeric tale of the trials and tribulations I endured to set up scponly on my Rails Machine. This is what to do:
Log in to your Rails Machine.
$ wget http://sublimation.org/scponly/scponly-4.6.tgz $ tar vxzf scponly-4.6.tgz $ cd scponly-4.6 $ sudo su - # You may not need to do this (I did) % cd /path/to/scponly-4.6 % ./configure --enable-chrooted-binary % make && sudo make install % exit # Only if you ran sudo su - above $ chmod +x setup_chroot.sh $ sudo vi /etc/shells # add these 2 lines: /usr/local/bin/scponly /usr/local/sbin/scponlyc # setup a new jailed user $ sudo ./setup_chroot.sh # Optional: make 'incoming' the start folder by editing the home path in /etc/passwd scponly:x:1001:1001::/home/scponly//incoming:/usr/sbin/scponlyc
Many thanks to Rob at Rails Machine for his herculean patience helping me with this.
Testing It Out
Your user should be able to SFTP to the server. He or she will land in their
incoming directory, be able to transer files there, but not be able to get outside their home directory.
One gotcha to be aware of is SSH access. You’ll find your user can connect via ssh but is instantly disconnected. This puzzled me but is expected behaviour (both my puzzlement and the disconnection). The clue is in the name, scponly :)