Sunday, March 22, 2009

Working without root access

For so many years I've worked with unix machines where I've had root access. To be honest I've got a bit slack, it's so easy to install software, libraries and python modules as root and I'd forgotten that you can live without root access and have the environment you want.

Naturally there is a security benefit to installing everything possible with just user rights.

My own bin path

Create a bin directory in your home directory.

Add this to ~/.bash_profile:

export PATH=~/bin:$PATH

So my local binary is favoured over the system ones.

When building with configure, use this option to build and install in your own $HOME.

./configure --prefix=$HOME

When you do make install, everything goes in ~/bin and ~/lib

Personal python modules

When installing a python module use this:

python install --home $HOME

Watch where it installs the files and in ~/.bash_profile add a line like this:

export PYTHONPATH=$PYTHONPATH:~/lib/python

rsync to a machine with my own rsync binary

When deploying software I like to use efficient rsync to copy over what's changed. If the remote machine doesn't have rsync installed, you can install your own copy in your own ~/bin directory and use rsync over ssh while telling it where your binary is at the other end. Here's the trick:

rsync -avz --rsync-path=/home/$USER/bin/rsync $SOURCE_PATH $USER@$DEST_HOST:$DESTPATH

So the --rsync-path is set to the path to an rsync binary at the other end.

Any other handy tips?


Alan Yates said...

I find that quite useful; running everything as a mere-mortal user. Especially in a high-scale commercial environment where you have a clustering load balancer or some other kind of front-end TCP port translation engine that means you can bind the web server to a high-port without too much IP Chains gymnastics to keep it available from a well-known one. I've done lots of specialised intranet applications where even Apache is run as the application user. Security and modularity is the big benefit. There is of course redundancy and some memory footprint impact if multiple instances run on the same host, but now days that isn't a big deal.

There was a recent project where my component (web-based) was required to run completely as its own user due to fears of support invalidation of other commercial products running on the same host if anyone but the host admin was given root access. Additional hardware or contractual sanity was unfortunately not an option, but the final solution worked wonderfully as a multi-customer solution due to its modularity.

I agree, rsync is very cool, along with ssh one of my favourite utilities hands-down. I also tend to rely heavily on CVS or Subversion for configuration management in different environments. In a few cases (especially intranet apps where security is somewhat less strict) we'd put the entire build tree on the production box and just check out the latest "production" tagged release as a migration strategy. This was quite handy where the architecture of the development environment was different to production and staging. Lazy yes, but quite expedient when you had to respond to the latest client demands quickly, and easy to back out using the version control system itself. Data was as-always an extra wrinkle that was managed conventionally with semi-automated check-pointing.

Most web-apps server-side bits are JIT compiled or interpreted now days, so the "code" ends up in production even on high-security sites. The "back-end" middle tier logic is frequently behind a firewall as another layer of security, just the presentation tier runs in the DMZ as mere-mortal users. Gives the would-be crackers a slightly more challenging time anyway.

BTW: Back in Oz yet?

Peter B Marks said...

Hi Alan,

Yep, I got back over the weekend. Still recovering.

Yes I like using svn for configuration management but some others don't for some reason.

I have been deploying software in a variety of restricted places including on a dreamhost shared host.

As you say there's some duplication of files if everyone has their own copy but at least you don't wake up one day to find that a library has changed and broken everything. In any case disk space is so cheap now and finally software seems to be getting smaller again at last.

I've been following your QRSS exploits with great interest by the way.

Christopher said...

Hey Pete,

Of course, sudo and /etc/sudoers is your friend/your system admin's friend. :-)