Majic Projects
Majic Ansible Roles
Go to the previous open issue
Go to the previous issue (open or closed)
star_faded.png
Please log in to bookmark issues
icon_project.png Majic Ansible Roles / Closed Feature request MAR-59 Use dedicated administrator account wsgi_website and php_website roles
action_vote_minus_faded.png
0
Votes
action_vote_plus_faded.png
Go to the next issue (open or closed)
Go to the next open issue
This issue has been closed with status "Closed" and resolution "RESOLVED".
Issue basics
  • Type of issue
    Feature request
  • Category
    Security
  • Targetted for
    1.0.0
  • Status
    Closed
  • Progress
  • Priority
    Must fix before next release
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    2 hours
  • Time spent
    No time spent
    Click here to see time logged against this issue
Issue details
  • Resolution
    RESOLVED
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates
Description
Currently the '''php_website''' and '''wsgi_website''' roles allow the user to specify website administrator that will be granted write permissions on website files.

This can have possible security repercussions in cases where the specified administrator is used also for administering other websites or even worse has sudo privileges. For example, with '''wsgi_website''' role the administrator would be activating the virtual environment with a lot of different packages, and some of those might be malicious.

It would be better to instead have dedicated administrator users for each website.

For example, if the website user/group is '''web-test_example_com''', the role could create an administrator user that belongs to group '''web-test_example_com''' with username '''admin-test_example_com'''. The admin should only be created if user has not explicitly specified an administrator.

A tiny enhancement for the wsgi_website role would be to auto-activate the virtual environment when switching to the administrator user as well.
Todos (0 / 0)
Issue created