Page MenuHomePhabricator

Lock down some config options
ClosedPublic

Authored by epriestley on May 1 2014, 3:45 PM.
Tags
None
Referenced Files
F14011879: D8928.diff
Fri, Nov 1, 5:33 AM
F14008475: D8928.id.diff
Tue, Oct 29, 10:27 PM
F13967301: D8928.diff
Wed, Oct 16, 12:48 PM
Unknown Object (File)
Oct 2 2024, 4:37 AM
Unknown Object (File)
Sep 20 2024, 2:28 PM
Unknown Object (File)
Sep 20 2024, 1:44 PM
Unknown Object (File)
Sep 20 2024, 11:42 AM
Unknown Object (File)
Sep 9 2024, 8:54 PM
Subscribers

Details

Reviewers
btrahan
Commits
Restricted Diffusion Commit
rP7145587df7fb: Lock down some config options
Summary

This is just a general review of config options, to reduce the amount of damage a rogue administrator (without host access) can do. In particular:

  • Fix some typos.
  • Lock down some options which would potentially let a rogue administrator do something sketchy.
    • Most of the new locks relate to having them register a new service account, then redirect services to their account. This potentially allows them to read email.
    • Lock down some general disk stuff, which could be troublesome in combination with other vulnerabilities.
Test Plan
  • Read through config options.
  • Tried to think about how to do evil things with each one.

Diff Detail

Repository
rP Phabricator
Branch
lockconfig
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 167
Build 167: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley retitled this revision from to Lock down some config options.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
src/applications/config/option/PhabricatorAWSConfigOptions.php
17–37

The general reason to lock services like this is to prevent an attacker from registering an SES account, rerouting mail through their account, and then turning on some debug options in SES which let them read mail (for example). Generally, I've locked the account IDs for all configurable services.

src/applications/config/option/PhabricatorCoreConfigOptions.php
141

If an attacker can somehow get a bad svn on the system, this could let them execute it by putting the path where it is located first. This just raises the barrier to executing an attack, it doesn't prevent anything specific on its own.

src/applications/config/option/PhabricatorExtendingPhabricatorConfigOptions.php
35

Mostly, in general no one should be setting this.

src/applications/config/option/PhabricatorMailgunConfigOptions.php
17

Service lock.

src/applications/config/option/PhabricatorPHDConfigOptions.php
45

This doesn't prevent anything specific, but in theory an attacker could some day use this to get code in the daemons running as a different user than it is supposed to, which could be bad.

src/applications/config/option/PhabricatorPHPMailerConfigOptions.php
17

All service locks.

src/applications/config/option/PhabricatorSecurityConfigOptions.php
19

This doesn't really prevent anything specific, but other domains have cookie issues and this one may have similar concerns in the future.

(An attacker could maybe set it to point at a proxy they control, then learn the URLs of files.)

47

Locking the hash secrets prevents an attacker from changing the value to one they know/control.

203

Prevents an attacker from enabling this if administrators have disabled it.

src/applications/config/option/PhabricatorSendGridConfigOptions.php
17

Service lock.

src/applications/files/config/PhabricatorFilesConfigOptions.php
121

Prevents an attacker from setting the local disk path to something like the path to phabricator/, which could help them upload files to places they shouldn't be able to. I can't think of any specific harm this could cause (they don't control file names) but this generally raises barriers.

src/applications/phame/config/PhabricatorPhameConfigOptions.php
22

An attacker who managed to get files elsewhere on the server could theoretically load and execute one as a phame skin, maybe.

src/applications/phortune/option/PhabricatorPhortuneConfigOptions.php
64

Service lock.

src/applications/repository/PhabricatorRepositoryConfigOptions.php
20

Like the other filesystem stuff, this is a general filesystem lock and prevents attackers from getting files to write to unexpected places.

btrahan edited edge metadata.
This revision is now accepted and ready to land.May 1 2014, 5:21 PM
epriestley updated this revision to Diff 21193.

Closed by commit rP7145587df7fb (authored by @epriestley).