Run Rails app as non-root user, but ask for root password to access files

Question

I have been given the task to make the source files of a Rails application non-readable without providing a password (root user's password), so the client won't be able to peek inside the application (which will run on a machine which will be kept in a server-room at the client's).

I tried changing the ownership of all the application folder (and files, and subfolders etc.) to root, and set permissions to execute-only for "other" users... But to no avail: I achieved the non-readability of the files for the non-root user, but it was also impossible to run the app.

Running sudo rails ... didn't work either with these permissions.

The machine is running Ubuntu 14.04. The app is based on Rails 4.2 and Ruby v2.2.1p85, and actually runs behind nginx and is using unicorn (+ thin as integrated web server)... If that ever makes a difference. The machine is set to start and automatically login the only non-root user (say company ) without asking for a password, and to immediately launch unicorn.

One thing I still haven't tried, because I think it might be too invasive of an operation, is creating a new user account, say client , and have the machine autologin this new account. While leaving company as the owner of the app files and folders, I would set Ubuntu to run unicorn as a different user from the logged in one (ie company vs. client ) and it would be impossible to open the file in a reader.

How can I achieve my goal, if it is even possible?

Answer 1

Following your first approach by changing permissions of all files, why don't you try to set the set-user-ID-on-execution bit :

chmod -R 4701 <app_dir>

This will prevent "other" users from reading and will allow them to execute, but while executing they will gain the privileges of the owner (which is the interest of set-user-ID ).

PS I don't know if this would work for you but it worths trying.