Run codedeploy-agent as non-root user

[Jud]

It would be nice to be able to run the agent as a non-root user, or, only run the supervisor as root, and drop privileges on the child process if they're not needed.

In our case, we'd like to only deploy signed binaries which are checked by a server agent as part of the deploy process (with the agent only decrypting a payload if the signatures are verified). Because code-deploy runs as root, it is possible that compromised credentials could lead to an unauthorized payload being deployed.

[todwilli]

You can use the AppSpec file to set the runas user for scripts as well as set the permissions on installed files. A combination of the two should cover your use case.

Check out http://docs.aws.amazon.com/codedeploy/latest/userguide/app-spec-ref.html#app-spec-ref-hooks and http://docs.aws.amazon.com/codedeploy/latest/userguide/app-spec-ref.html#app-spec-ref-permissions for more details as well as examples.

[Jud]

@todwilli This will cover the use case, but I'm still a bit weary about needing to run a remote-code-fetching daemon as root. Seems like a large attack surface area relative to whatever convenience is gained.

[wmbutler]

@todwilli

Within my appspec.yml file, I'm setting the runas to ubuntu. The problem is that my source directory is entirely owned by root. I've attempted to change the permissions of the source directory where the script is located and I keep getting the same

.....deployment-archive/./server.sh: Permission denied

Here is my appspec.yml file (I've tried both . and ./ to set the user on the server.sh script.

version: 0.0
os: linux
files:
  - source: dist
    destination: /home/test/dist
  - source: node_modules
    destination: /home/test/node_modules
  - source: server.json
    destination: /home/test
permissions:
  - object: /home/test
    owner: ubuntu
    group: ubuntu
permissions:
  - object: .
    owner: ubuntu
    group: ubuntu
hooks:
  ApplicationStart:
    - location: ./server.sh
      timeout: 30
      runas: ubuntu

[surybala]

@wmbutler
The hook scripts are executed from the source location and the permission settings are applied on the destination location. So in your case you are invoking the server.sh from the source location and not destination location.
Could you please verify if the execute bit is set for non root users (others) for the file server.sh in your bundle. If not, can you make it 755 and bundle into tar. That way, the permissions will be preserved and you could execute the script as ubuntu user.

[wmbutler]

I wrote my own deploy script. 15 seconds to download form S3 instead of the crazy 5-8 minutes for CodeDeploy. Took me 5 hours to write it.

[artburkart]

Why does the agent run as root? I'm trying to run it as a different user, but I can't seem to get any logs to tell me why it's a no go.

[ccloes]

@artburkart we were able to get the agent to run as non-root using the modifications referenced above to add "sudo" support. I ran into a similar problem where the init script was redirecting stderr/stdout to /dev/null and it was failing without detail... not sure if you are having a similar issue. Getting it to work takes a bit of coercion.

[thegranddesign]

The fact that anyone allowed to push a deploy effectively has root access to every server the code is deployed to is a huge issue IMO. I honestly can't believe that this was even allowed to get passed the "Hey what about..." phase of the conversation.

Adding sudo support is a good first step, since in the sudoers you can give the deploy user access to "sudo nopasswd" only the commands it needs to do its job. However since this is still in the appspec.yml file and everything in there is run as root, it doesn't solve the base issue.

[artburkart]

To make CodeDeploy run as www-data on my Ubuntu instances, I wrote the following installation script using Ansible.

https://gist.github.com/artburkart/8b8894ef8973fab34773a1a311f9f19a

[aftabnaveed]

+1 run as non-root. I have thousands of files with different sets of permissions, I really want the permissions to be retained, but when deployed as root every thing just gets reset.

[Constantin07]

+1

[hgenchev99]

https://aws.amazon.com/premiumsupport/knowledge-center/codedeploy-agent-non-root-profile/