recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add "phd.user" with `sudo` hooks for SSH/HTTP writes

Summary:
Ref T2230. When fully set up, we have up to three users who all need to write into the repositories:

- The webserver needs to write for HTTP receives.
- The SSH user needs to write for SSH receives.
- The daemons need to write for "git fetch", "git clone", etc.

These three users don't need to be different, but in practice they are often not likely to all be the same user. If for no other reason, making them all the same user requires you to "git clone httpd@host.com", and installs are likely to prefer "git clone git@host.com".

Using three different users also allows better privilege separation. Particularly, the daemon user can be the //only// user with write access to the repositories. The webserver and SSH user can accomplish their writes through `sudo`, with a whitelisted set of commands. This means that even if you compromise the `ssh` user, you need to find a way to escallate from there to the daemon user in order to, e.g., write arbitrary stuff into the repository or bypass commit hooks.

This lays some of the groundwork for a highly-separated configuration where the SSH and HTTP users have the fewest privileges possible and use `sudo` to interact with repositories. Some future work which might make sense:

- Make `bin/phd` respect this (require start as the right user, or as root and drop privileges, if this configuration is set).
- Execute all `git/hg/svn` commands via sudo?

Users aren't expected to configure this yet so I haven't written any documentation.

Test Plan:
Added an SSH user ("dweller") and gave it sudo by adding this to `/etc/sudoers`:

dweller ALL=(epriestley) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack

Then I ran git pushes and pulls over SSH via "dweller@localhost". They successfully interacted with the repository on disk as the "epriestley" user.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2230

Differential Revision: https://secure.phabricator.com/D7589

epriestley 476b27d9 40c0e352

+64 -12
+8
src/applications/config/option/PhabricatorPHDConfigOptions.php
··· 41 41 "of output, but can help debug issues. Daemons launched in debug ". 42 42 "mode with 'phd debug' are always launched in verbose mode. See ". 43 43 "also 'phd.trace'.")), 44 + $this->newOption('phd.user', 'string', null) 45 + ->setSummary(pht("System user to run daemons as.")) 46 + ->setDescription( 47 + pht( 48 + "Specify a system user to run the daemons as. Primarily, this ". 49 + "user will own the working copies of any repositories that ". 50 + "Phabricator imports or manages. This option is new and ". 51 + "experimental.")), 44 52 $this->newOption('phd.trace', 'bool', false) 45 53 ->setBoolOptions( 46 54 array(
+9 -2
src/applications/diffusion/controller/DiffusionServeController.php
··· 326 326 327 327 $input = PhabricatorStartup::getRawInput(); 328 328 329 - list($err, $stdout, $stderr) = id(new ExecFuture('%s', $bin)) 329 + $command = csprintf('%s', $bin); 330 + $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command); 331 + 332 + list($err, $stdout, $stderr) = id(new ExecFuture('%C', $command)) 330 333 ->setEnv($env, true) 331 334 ->write($input) 332 335 ->resolve(); ··· 422 425 $input = strlen($input)."\n".$input."0\n"; 423 426 } 424 427 425 - list($err, $stdout, $stderr) = id(new ExecFuture('%s serve --stdio', $bin)) 428 + $command = csprintf('%s serve --stdio', $bin); 429 + $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command); 430 + 431 + list($err, $stdout, $stderr) = id(new ExecFuture('%C', $command)) 426 432 ->setEnv($env, true) 427 433 ->setCWD($repository->getLocalPath()) 428 434 ->write("{$cmd}\n{$args}{$input}") ··· 545 551 546 552 return $has_pack && $is_hangup; 547 553 } 554 + 548 555 } 549 556
+4 -3
src/applications/diffusion/ssh/DiffusionSSHGitReceivePackWorkflow.php
··· 22 22 // This is a write, and must have write access. 23 23 $this->requireWriteAccess(); 24 24 25 - $future = new ExecFuture( 26 - 'git-receive-pack %s', 27 - $repository->getLocalPath()); 25 + $command = csprintf('git-receive-pack %s', $repository->getLocalPath()); 26 + $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command); 27 + 28 + $future = new ExecFuture('%C', $command); 28 29 29 30 $err = $this->newPassthruCommand() 30 31 ->setIOChannel($this->getIOChannel())
+4 -1
src/applications/diffusion/ssh/DiffusionSSHGitUploadPackWorkflow.php
··· 19 19 $path = head($args->getArg('dir')); 20 20 $repository = $this->loadRepository($path); 21 21 22 - $future = new ExecFuture('git-upload-pack %s', $repository->getLocalPath()); 22 + $command = csprintf('git-upload-pack -- %s', $repository->getLocalPath()); 23 + $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command); 24 + 25 + $future = new ExecFuture('%C', $command); 23 26 24 27 $err = $this->newPassthruCommand() 25 28 ->setIOChannel($this->getIOChannel())
+4 -4
src/applications/diffusion/ssh/DiffusionSSHMercurialServeWorkflow.php
··· 39 39 throw new Exception("Expected `hg ... serve`!"); 40 40 } 41 41 42 - $future = new ExecFuture( 43 - 'hg -R %s serve --stdio', 44 - $repository->getLocalPath()); 42 + $command = csprintf('hg -R %s serve --stdio', $repository->getLocalPath()); 43 + $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command); 45 44 46 - $io_channel = $this->getIOChannel(); 45 + $future = new ExecFuture('%C', $command); 47 46 47 + $io_channel = $this->getIOChannel(); 48 48 $protocol_channel = new DiffusionSSHMercurialWireClientProtocolChannel( 49 49 $io_channel); 50 50
+4 -1
src/applications/diffusion/ssh/DiffusionSSHSubversionServeWorkflow.php
··· 38 38 throw new Exception("Expected `svnserve -t`!"); 39 39 } 40 40 41 - $future = new ExecFuture('svnserve -t'); 41 + $command = csprintf('svnserve -t'); 42 + $command = PhabricatorDaemon::sudoCommandAsDaemonUser($command); 43 + 44 + $future = new ExecFuture('%C', $command); 42 45 43 46 $this->inProtocol = new DiffusionSubversionWireProtocol(); 44 47 $this->outProtocol = new DiffusionSubversionWireProtocol();
-1
src/applications/diffusion/ssh/DiffusionSSHWorkflow.php
··· 120 120 return $this->hasWriteAccess; 121 121 } 122 122 123 - 124 123 }
+31
src/infrastructure/daemon/PhabricatorDaemon.php
··· 19 19 return PhabricatorUser::getOmnipotentUser(); 20 20 } 21 21 22 + 23 + /** 24 + * Format a command so it executes as the daemon user, if a daemon user is 25 + * defined. This wraps the provided command in `sudo -u ...`, roughly. 26 + * 27 + * @param PhutilCommandString Command to execute. 28 + * @return PhutilCommandString `sudo` version of the command. 29 + */ 30 + public static function sudoCommandAsDaemonUser($command) { 31 + $user = PhabricatorEnv::getEnvConfig('phd.user'); 32 + if (!$user) { 33 + // No daemon user is set, so just run this as ourselves. 34 + return $command; 35 + } 36 + 37 + // Get the absolute path so we're safe against the caller wiping out 38 + // PATH. 39 + $sudo = Filesystem::resolveBinary('sudo'); 40 + if (!$sudo) { 41 + throw new Exception(pht("Unable to find 'sudo'!")); 42 + } 43 + 44 + // Flags here are: 45 + // 46 + // -E: Preserve the environment. 47 + // -n: Non-interactive. Exit with an error instead of prompting. 48 + // -u: Which user to sudo to. 49 + 50 + return csprintf('%s -E -n -u %s -- %C', $sudo, $user, $command); 51 + } 52 + 22 53 }