It turned out that the git-user (aka vcs-user) created files as phd:phd

I don't understand this -- git-user should never be creating files.

Specifically, no process should ever interact with working copies as any user except daemon-user (presumably, phd here) so the group should be irrelevant.

In particular, we do not configure any groups at all, which is why this is not mentioned in the documentation.

I don't know how to reproduce this error. I believe the sudo directive is unnecessary (we run a large number of production servers without it).

The debug-command ssh -T dweller@secure.phabricator.com is confusing. If connecting with anything else then the vcs-user the ssh-hook should deny the connection immediately.

I don't understand what's specifically confusing about this.

• Are you confused that we suggest dweller instead of vcs-user?
• Are you confused that this is a real command against a live server instead of an example command with a placeholder username/host?
• Are you confused that secure.phabricator.com has different error behavior than your local install will have?

Oh, I think I have a handle on the first issue -- you can ignore my questions about that.

Pheew.. thanks..

However, i wouldn't exclude that i misunderstood something about the moving parts of Phabricator.

I currently pressed the whole installation and update into a SaltStack-State so i think i'm able to correct any parameter of the configuration pretty fast.

In general, this configuration is a huge horrible mess but I'm having a hard time coming up with ways to really fix it that don't just tell you to run everything as root.

In particular, it's very difficult for us to verify steps and tell you what's wrong because if you make any mistake at all the symptom tends to be "nothing works" + "ssh emits a generic error message".

This is particularly an issue in the context of T10751, which makes this configuration even more complex.

We can just make this document 3x longer and exhaustively document every possible combination of user and group permissions (and e.g., include information about how SSH keys work to resolve T10602, since some users apparently don't find this obvious), but the chance that users will miss or misunderstand instructions (which they already do frequently) rises substantially.

One small simplification we could make is to have you grant sudo access to some wrapper script we control, but almost no one has trouble enumerating the big list of sudo binaries, and this would put a global (and nontrivial) performance penalty on every command we execute.

That is, we normally navigate complex configuration by verifying every step and just telling you what's wrong and how to fix it (e.g., moving all the MySQL, etc., configuration from documentation to automatic setup issues was a huge step forward), but there's basically no test we can perform on most of this chain.

I understand - i didn't wanted you to fix my configuration. I think as soon as i have some experience running phabricator in this setup i can try to help improving the setup, if even possible.

I just wanted you to know what i found out, you might think about taking something over into the documentation or not - i won't take it amiss.

I really appreciated how php- and mysql-setup-issues were treated. Offering something like that without root-permissions is pretty unlikely to achieve, i guess.

Thanks for your care though.

Just throwing my input in here:

For the Docker container that I run, we just have two users; git and nginx. nginx is used for the nginx process, but php-fpm (which actually runs the PHP code that writes files) runs as git, which is also the user that people authenticate as for SSH, and the user that daemons run as. Basically (apart from the Nginx level), it's one user for everything. We don't need to configure any sudo rules in this set up.

Interesting, thanks. I just followed the "Diffusion User Guide" which states that the git user must have access to the repos as the phd-user.

I somehow ended up with the following access-rules:

apps.root) the main root containing /phabricator, /arcanist and /libphutil.
1) I was surprised that i had to grant read and execution permissions to all. I couldn't find out which user was effectively trying to access the apps.root (and since there's only Phabricator installed there are not many choices).
2) I understood the guide in the way that that only the phd-user will have to access the repos exclusively.

I wanted to keep the git user and the daemon-user separate, only allowing the two git-operations, since this user gets active on the system and has a login-shell. The sudo rule only allows git to invoke two dedicated commands as the phd-user, which is just more restrictive.