Page MenuHomePhabricator
Create Task
Maniphest T7185

Review all configuration and lock anything that has paths or magic in it
Closed, ResolvedPublic
Actions

Description

We should just run through this and make sure instances can't adjust path settings for this stuff, and that it's all forced to some reasonable, namespaced path.

Revisions and Commits

Restricted Diffusion Commit
rP Phabricator
D11764rPe5b402d13f76 Lock all reply-handler options in the upstream, plus cookie prefix
D11763rPebebeb8f7cb7 Upgrade "masked" config to "hidden"

Event Timeline

epriestley created this task.Feb 5 2015, 10:43 PM
epriestley raised the priority of this task from to Needs Triage.
epriestley updated the task description. (Show Details)
epriestley added a project: Phacility.
epriestley moved this task to v0 Closed Beta on the Phacility board.
epriestley added a subscriber: epriestley.

Taskmaster count should get locked, too.

epriestley assigned this task to btrahan.Feb 10 2015, 7:00 PM

It would probably be good if we both did a pass through this and compared notes. Basically:

  • Look through all the config options.
  • For options which are not "Locked", can any be set to something which would cause problems with instances? An example is if two instances can set a log file to the same path.
  • We set some options in PhacilitySiteSource in rSERVICES, but currently do not add any locks. Most of the options we set should have locks added if they aren't already locked.
  • Broadly, for each option, can you come up with a way that users could break their installs or cause trouble by adjusting it?

Once we have a list of things that should be locked, we can trivially lock it in PhacilitySiteSource.

btrahan triaged this task as Normal priority.Feb 10 2015, 7:06 PM
btrahan added a comment.Feb 10 2015, 7:27 PM

This table are issues where I worried about different instances having the same value...

keyconcern
asana.project-idsI think okay but worth raising
asana.workspace-idI think okay but worth raising
metamta.default-addresscould break per instance reply to email functionality
metamta.differential.reply-handler-domaincould break per instance reply to email functionality
metamta.diffusion.reply-handler-domaincould break per instance reply to email functionality
metamta.macro.reply-handler-domaincould break per instance reply to email functionality
metamta.maniphest.reply-handler-domaincould break per instance reply to email functionality
metamta.pholio.reply-handler-domaincould break per instance reply to email functionality
metamta.reply-handler-domaincould break per instance reply to email functionality
notification.loglog collision
notification.pidfilepid collision
phd.log-directorylog collision
phd.pid-directorypid collision
sms.default-sendercould break per instance reply to SMS functionality
storage.s3.bucketshould be unique per instance probably

This table is config that the users can basically break their instance for fun in some way right now?

keyconcern
metamta.differential.reply-handlercan't really add alternate handler
metamta.diffusion.reply-handlercan't really add alternate handler
metamta.maniphest.reply-handlercan't really add alternate handler
metamta.package.reply-handlercan't really add alternate handler
btrahan reassigned this task from btrahan to epriestley.Feb 10 2015, 7:28 PM
btrahan added a subscriber: btrahan.
epriestley added a comment.Feb 10 2015, 7:28 PM

thx u :3

epriestley added a comment.Feb 13 2015, 3:43 PM

Here's my list. We should probably lock these:

asana.project-ids
asana.workspace-id
celerity.minify
celerity.resource-hash
metamta.mail-adapter
phd.variant-config
phd.trace
phd.verbose
search.engine-selector
sms.default-adapter
sms.default-sender
storage.mysql-engine.max-size
syntax-highlighter.engine

...and probably adjust and lock these:

diffusion.ssh-port
diffusion.ssh-user
files.enable-imagemagick
log.access.path
log.ssh.path
metamta.default-address
metamta.domain
metamta.single-reply-handler-prefix
notification.client-uri
notification.log
notification.pidfile
notification.server-uri
notification.ssl-cert
notification.ssl-key
phabricator.production-uri
phd.log-directory
phd.pid-directory
phd.start-taskmasters
storage.engine-selector
storage.s3.bucket
storage.upload-size-limit

...and adjust (but not lock) this:

notification.enabled

...and maybe lock these some day although they seem fine for now:

debug.profile-rate
debug.stop-on-redirect
debug.time-limit

...and probably lock these in the upstream:

*.reply-handler (on the way out, not very useful anyway)
*.reply-handler-domain (could be used by a compromised administrator account to trick users to replying to mail and sending it to an attacker)
phabricator.cookie-prefix (can kind-of-break installs)

epriestley added a comment.Feb 13 2015, 3:44 PM

Lists look pretty similar, I was just a little more aggressive. A couple things are blocked on S3/Aphlict. I agree on Asana being not-dangerous but think it's worth locking to avoid confusion.

epriestley added a revision: D11763: Upgrade "masked" config to "hidden".Feb 13 2015, 3:48 PM
epriestley added a revision: D11764: Lock all reply-handler options in the upstream, plus cookie prefix.Feb 13 2015, 3:53 PM
epriestley added a commit: rPebebeb8f7cb7: Upgrade "masked" config to "hidden".Feb 13 2015, 6:59 PM
epriestley added a commit: rPe5b402d13f76: Lock all reply-handler options in the upstream, plus cookie prefix.
epriestley closed this task as Resolved by committing Restricted Diffusion Commit.Feb 14 2015, 2:25 PM
epriestley added a commit: Restricted Diffusion Commit.
Phabricator · Built by Phacility