嗨,我正在尝试通过乘客和apache2将我的铁路应用程序部署到VPS 2
[ W 2018-02-14 21:02:37.0342 9640/T1 age/Cor/CoreMain.cpp:969 ]: WARNING: potential privilege escalation vulnerability. Phusion Passenger is running as root, and part(s) of the passenger root path (/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0) can be changed by non-root user(s):
The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0" is writeable by any user (or application). Limit write access on the path to only the root user/group.
The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy/.rvm/gems/ruby-2.4.1@spelld.it" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy/.rvm/gems" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy/.rvm" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
The path "/home/deploy" can be modified by user "deploy" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.
我试图改变特权,但它不起作用用
sudo chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0
和
sudo chown root:root /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0
我什至发现有同样问题的问题,但我不知道如何修复它...我如何避免以root的phusion乘客运行?
乘客作者在这里。您可以做的另一件事是将RVM Ruby以及带有root的乘客安装,而不是用户"部署"。这样,您的红宝石安装和乘客安装归根结底,您将不会看到此警告。
甚至更好:使用我们的本地debian/ubuntu/centos软件包。
我也想提供一些见解。@Hongli的答案不是全部。@Taryn East是正确的。即使您每个dir chater也需要每个dir chmod,以便乘客正常工作。
在您的示例中,您需要:
chmod 700 /home/deploy/.rvm
chmod 700 /home/deploy/.rvm/gems/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/
chmod 700 /home/deploy/.rvm/gems/ruby-2.4.1@spelld.it/gems/passenger-5.2.0
这是唯一不涉及所有内容的真实解决方案。将以下内容放入您的网站中。也可以在apache2.conf
中工作PassengerUserSwitching off
PassengerDefaultUser "your-user-name"
现在检查您的错误日志。不再有错误。
我不明白为什么。乘客文档将其称为沙箱。不确定还有什么其他后果。
从:
获得的解决方案 https://sun-blog.site/passenger��E5� 200;%E8%AD%A6%E5%91%8A/
https://blog.masterka.net/archives/1828
通过Google