phorge-phorge/src/applications/config/option/PhabricatorPHDConfigOptions.php

<?php

final class PhabricatorPHDConfigOptions
  extends PhabricatorApplicationConfigOptions {

  public function getName() {
    return pht("Daemons");
  }

  public function getDescription() {
    return pht("Options relating to PHD (daemons).");
  }

  public function getOptions() {
    return array(
      $this->newOption('phd.pid-directory', 'string', '/var/tmp/phd/pid')
        ->setDescription(
          pht(
            "Directory that phd should use to track running daemons.")),
      $this->newOption('phd.log-directory', 'string', '/var/tmp/phd/log')
        ->setDescription(
          pht(
            "Directory that the daemons should use to store log files.")),
      $this->newOption('phd.start-taskmasters', 'int', 4)
        ->setSummary(pht("Number of TaskMaster daemons to start by default."))
        ->setDescription(
          pht(
            "Number of 'TaskMaster' daemons that 'phd start' should start. ".
            "You can raise this if you have a task backlog, or explicitly ".
            "launch more with 'phd launch <N> taskmaster'.")),
      $this->newOption('phd.verbose', 'bool', false)
        ->setBoolOptions(
          array(
            pht("Verbose mode"),
            pht("Normal mode"),
          ))
        ->setSummary(pht("Launch daemons in 'verbose' mode by default."))
        ->setDescription(
          pht(
            "Launch daemons in 'verbose' mode by default. This creates a lot ".
            "of output, but can help debug issues. Daemons launched in debug ".
            "mode with 'phd debug' are always launched in verbose mode. See ".
            "also 'phd.trace'.")),
      $this->newOption('phd.user', 'string', null)
        ->setLocked(true)
        ->setSummary(pht("System user to run daemons as."))
        ->setDescription(
          pht(
            "Specify a system user to run the daemons as. Primarily, this ".
            "user will own the working copies of any repositories that ".
            "Phabricator imports or manages. This option is new and ".
            "experimental.")),
      $this->newOption('phd.trace', 'bool', false)
        ->setBoolOptions(
          array(
            pht("Trace mode"),
            pht("Normal mode"),
          ))
        ->setSummary(pht("Launch daemons in 'trace' mode by default."))
        ->setDescription(
          pht(
            "Launch daemons in 'trace' mode by default. This creates an ".
            "ENORMOUS amount of output, but can help debug issues. Daemons ".
            "launched in debug mode with 'phd debug' are always launched in ".
            "trace mdoe. See also 'phd.verbose'.")),
    );
  }

}
PHD Options. Test Plan: Looked at the options render properly. Reviewers: epriestley, btrahan, chad Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2255 Differential Revision: https://secure.phabricator.com/D4367 2013-01-09 15:05:34 +01:00			`<?php`

			`final class PhabricatorPHDConfigOptions`
			`extends PhabricatorApplicationConfigOptions {`

			`public function getName() {`
Don't preface 'Daemons' with 'Phabricator'. Summary: It's obvious that they're Phabricator related (why else would we provide settings for them) and nothing else is prefaced. Test Plan: Looked at /config/ Reviewers: epriestley, chad, btrahan Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2255 Differential Revision: https://secure.phabricator.com/D4471 2013-01-16 18:47:20 +01:00			`return pht("Daemons");`
PHD Options. Test Plan: Looked at the options render properly. Reviewers: epriestley, btrahan, chad Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2255 Differential Revision: https://secure.phabricator.com/D4367 2013-01-09 15:05:34 +01:00			`}`

			`public function getDescription() {`
			`return pht("Options relating to PHD (daemons).");`
			`}`

			`public function getOptions() {`
			`return array(`
			`$this->newOption('phd.pid-directory', 'string', '/var/tmp/phd/pid')`
			`->setDescription(`
			`pht(`
			`"Directory that phd should use to track running daemons.")),`
			`$this->newOption('phd.log-directory', 'string', '/var/tmp/phd/log')`
			`->setDescription(`
			`pht(`
			`"Directory that the daemons should use to store log files.")),`
			`$this->newOption('phd.start-taskmasters', 'int', 4)`
			`->setSummary(pht("Number of TaskMaster daemons to start by default."))`
			`->setDescription(`
			`pht(`
			`"Number of 'TaskMaster' daemons that 'phd start' should start. ".`
			`"You can raise this if you have a task backlog, or explicitly ".`
			`"launch more with 'phd launch <N> taskmaster'.")),`
			`$this->newOption('phd.verbose', 'bool', false)`
Minor, fix old call to setOptions() introduced out of order. Auditors: codeblock 2013-01-09 17:15:18 +01:00			`->setBoolOptions(`
PHD Options. Test Plan: Looked at the options render properly. Reviewers: epriestley, btrahan, chad Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2255 Differential Revision: https://secure.phabricator.com/D4367 2013-01-09 15:05:34 +01:00			`array(`
			`pht("Verbose mode"),`
			`pht("Normal mode"),`
			`))`
			`->setSummary(pht("Launch daemons in 'verbose' mode by default."))`
			`->setDescription(`
			`pht(`
			`"Launch daemons in 'verbose' mode by default. This creates a lot ".`
			`"of output, but can help debug issues. Daemons launched in debug ".`
			`"mode with 'phd debug' are always launched in verbose mode. See ".`
			`"also 'phd.trace'.")),`
Add "phd.user" with `sudo` hooks for SSH/HTTP writes Summary: Ref T2230. When fully set up, we have up to three users who all need to write into the repositories: - The webserver needs to write for HTTP receives. - The SSH user needs to write for SSH receives. - The daemons need to write for "git fetch", "git clone", etc. These three users don't need to be different, but in practice they are often not likely to all be the same user. If for no other reason, making them all the same user requires you to "git clone httpd@host.com", and installs are likely to prefer "git clone git@host.com". Using three different users also allows better privilege separation. Particularly, the daemon user can be the //only// user with write access to the repositories. The webserver and SSH user can accomplish their writes through `sudo`, with a whitelisted set of commands. This means that even if you compromise the `ssh` user, you need to find a way to escallate from there to the daemon user in order to, e.g., write arbitrary stuff into the repository or bypass commit hooks. This lays some of the groundwork for a highly-separated configuration where the SSH and HTTP users have the fewest privileges possible and use `sudo` to interact with repositories. Some future work which might make sense: - Make `bin/phd` respect this (require start as the right user, or as root and drop privileges, if this configuration is set). - Execute all `git/hg/svn` commands via sudo? Users aren't expected to configure this yet so I haven't written any documentation. Test Plan: Added an SSH user ("dweller") and gave it sudo by adding this to `/etc/sudoers`: dweller ALL=(epriestley) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack Then I ran git pushes and pulls over SSH via "dweller@localhost". They successfully interacted with the repository on disk as the "epriestley" user. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2230 Differential Revision: https://secure.phabricator.com/D7589 2013-11-18 17:58:35 +01:00			`$this->newOption('phd.user', 'string', null)`
Lock down some config options Summary: This is just a general review of config options, to reduce the amount of damage a rogue administrator (without host access) can do. In particular: - Fix some typos. - Lock down some options which would potentially let a rogue administrator do something sketchy. - Most of the new locks relate to having them register a new service account, then redirect services to their account. This potentially allows them to read email. - Lock down some general disk stuff, which could be troublesome in combination with other vulnerabilities. Test Plan: - Read through config options. - Tried to think about how to do evil things with each one. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D8928 2014-05-01 19:23:49 +02:00			`->setLocked(true)`
Add "phd.user" with `sudo` hooks for SSH/HTTP writes Summary: Ref T2230. When fully set up, we have up to three users who all need to write into the repositories: - The webserver needs to write for HTTP receives. - The SSH user needs to write for SSH receives. - The daemons need to write for "git fetch", "git clone", etc. These three users don't need to be different, but in practice they are often not likely to all be the same user. If for no other reason, making them all the same user requires you to "git clone httpd@host.com", and installs are likely to prefer "git clone git@host.com". Using three different users also allows better privilege separation. Particularly, the daemon user can be the //only// user with write access to the repositories. The webserver and SSH user can accomplish their writes through `sudo`, with a whitelisted set of commands. This means that even if you compromise the `ssh` user, you need to find a way to escallate from there to the daemon user in order to, e.g., write arbitrary stuff into the repository or bypass commit hooks. This lays some of the groundwork for a highly-separated configuration where the SSH and HTTP users have the fewest privileges possible and use `sudo` to interact with repositories. Some future work which might make sense: - Make `bin/phd` respect this (require start as the right user, or as root and drop privileges, if this configuration is set). - Execute all `git/hg/svn` commands via sudo? Users aren't expected to configure this yet so I haven't written any documentation. Test Plan: Added an SSH user ("dweller") and gave it sudo by adding this to `/etc/sudoers`: dweller ALL=(epriestley) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack Then I ran git pushes and pulls over SSH via "dweller@localhost". They successfully interacted with the repository on disk as the "epriestley" user. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T2230 Differential Revision: https://secure.phabricator.com/D7589 2013-11-18 17:58:35 +01:00			`->setSummary(pht("System user to run daemons as."))`
			`->setDescription(`
			`pht(`
			`"Specify a system user to run the daemons as. Primarily, this ".`
			`"user will own the working copies of any repositories that ".`
			`"Phabricator imports or manages. This option is new and ".`
			`"experimental.")),`
PHD Options. Test Plan: Looked at the options render properly. Reviewers: epriestley, btrahan, chad Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2255 Differential Revision: https://secure.phabricator.com/D4367 2013-01-09 15:05:34 +01:00			`$this->newOption('phd.trace', 'bool', false)`
Minor, fix old call to setOptions() introduced out of order. Auditors: codeblock 2013-01-09 17:15:18 +01:00			`->setBoolOptions(`
PHD Options. Test Plan: Looked at the options render properly. Reviewers: epriestley, btrahan, chad Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2255 Differential Revision: https://secure.phabricator.com/D4367 2013-01-09 15:05:34 +01:00			`array(`
			`pht("Trace mode"),`
			`pht("Normal mode"),`
			`))`
			`->setSummary(pht("Launch daemons in 'trace' mode by default."))`
			`->setDescription(`
			`pht(`
			`"Launch daemons in 'trace' mode by default. This creates an ".`
			`"ENORMOUS amount of output, but can help debug issues. Daemons ".`
			`"launched in debug mode with 'phd debug' are always launched in ".`
			`"trace mdoe. See also 'phd.verbose'.")),`
			`);`
			`}`

			`}`