1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-30 01:10:58 +01:00
No description
Find a file
epriestley 476b27d9c8 Add "phd.user" with sudo hooks for SSH/HTTP writes
Summary:
Ref T2230. When fully set up, we have up to three users who all need to write into the repositories:

  - The webserver needs to write for HTTP receives.
  - The SSH user needs to write for SSH receives.
  - The daemons need to write for "git fetch", "git clone", etc.

These three users don't need to be different, but in practice they are often not likely to all be the same user. If for no other reason, making them all the same user requires you to "git clone httpd@host.com", and installs are likely to prefer "git clone git@host.com".

Using three different users also allows better privilege separation. Particularly, the daemon user can be the //only// user with write access to the repositories. The webserver and SSH user can accomplish their writes through `sudo`, with a whitelisted set of commands. This means that even if you compromise the `ssh` user, you need to find a way to escallate from there to the daemon user in order to, e.g., write arbitrary stuff into the repository or bypass commit hooks.

This lays some of the groundwork for a highly-separated configuration where the SSH and HTTP users have the fewest privileges possible and use `sudo` to interact with repositories. Some future work which might make sense:

  - Make `bin/phd` respect this (require start as the right user, or as root and drop privileges, if this configuration is set).
  - Execute all `git/hg/svn` commands via sudo?

Users aren't expected to configure this yet so I haven't written any documentation.

Test Plan:
Added an SSH user ("dweller") and gave it sudo by adding this to `/etc/sudoers`:

   dweller ALL=(epriestley) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack

Then I ran git pushes and pulls over SSH via "dweller@localhost". They successfully interacted with the repository on disk as the "epriestley" user.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2230

Differential Revision: https://secure.phabricator.com/D7589
2013-11-18 08:58:35 -08:00
bin Prepare to route VCS connections through SSH 2013-10-29 15:32:40 -07:00
conf Remove one remaining "differential.anonymous-access" 2013-11-12 07:51:25 -08:00
externals Strip +x from some WePay files 2013-11-12 17:48:47 -08:00
resources Improve handling of email verification and "activated" accounts 2013-11-12 14:37:04 -08:00
scripts Bugfix for D7596 2013-11-17 20:19:49 -08:00
src Add "phd.user" with sudo hooks for SSH/HTTP writes 2013-11-18 08:58:35 -08:00
support Remove spurious "+x" from files that shouldn't have it 2013-10-05 05:18:17 -07:00
webroot Improve handling of email verification and "activated" accounts 2013-11-12 14:37:04 -08:00
.arcconfig Use JsShrink if jsxmin is not available 2013-05-18 17:04:22 -07:00
.divinerconfig Centralize rendering of application mail bodies 2012-07-16 19:01:43 -07:00
.editorconfig Specify config for text editors 2012-11-03 22:34:44 -07:00
.gitignore Add src/extensions/ to .gitignore 2013-08-14 19:14:23 -07:00
LICENSE Delete license headers from files 2012-11-05 11:16:51 -08:00
NOTICE Increment year. 2013-01-03 05:45:08 -08:00
README Update README 2013-07-03 12:08:37 -07:00

Phabricator is an open source collection of web applications which make it
easier to write, review, and share source code. Phabricator was developed at
Facebook.

It's pretty high-quality and usable, but under active development so things 
may change quickly.

You can learn more about the project and find links to documentation and
resources at: http://phabricator.org/

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.