Setting permissions for your Gitlab CI Runner & W3 Total Cache

So in the last post on this, I looked at setting up auto deploy for a WordPress site using GitLab’s CI runner.  I also wanted the W3TC cache to be cleared, and thanks to WP-CLI, that was possible by adding:

- sudo -u www-data wp w3-total-cache flush

to the end of the script node in .gitlab-ci.yml.

Now. “sudo?!?!?!?!” I hear you say? There’s a security risk if ever I saw one. Luckily this doesn’t have to be the case if things are set up right. Make a separate user for GitLab Runner and limit it to sudo-ing as only www-data and only running that command while doing so.

It’s a good idea to setup a separate user in general too, for security.

There wasn’t an awful lot of info on that when I Googled though, so (from inital user creation):

adduser gitlabrunner
usermod -a -G www-data gitlabrunner
passwd gitlabrunner # set a password for your new user
# ...then ssh into the box with that user & pass and:
ssh-keygen -t rsa
# Set a new deploy key in Gitlab admin setting using your new so your new user can "git pull"
vi /home/gitlabrunner/.ssh/authorized_keys
# copy the public key from your GitLab box in. For instance from /root/.ssh/
chown -R gitlabrunner:gitlabrunner /home/gitlabrunner/.ssh
chmod -R go-rwx /home/gitlabrunner/.ssh
# Edit your sudoers file
# add:
gitlabrunner ALL=(www-data:www-data) NOPASSWD: /usr/local/bin/wp 

Done! Your CI script will now be able to run WP-CLI commands as www-data. No root access, no entering passwords.

Enable Root Login on Ubuntu Server

If you’re using Ubuntu as a web server, as the main admin there’s not much reason not to enable root login via SSH. Digital Ocean do it on their VMs by default for instance. So:

sudo passwd root # Set a new password
sudo nano /etc/ssh/sshd_config

Comment out `PermitRootLogin without-password` and add `PermitRootLogin yes`. Save it and reload the ssh config:

sudo service ssh reload

Job done! No more using sudo all the time to change your Nginx config!