Maniphest T7475

Reset umask explicitly in daemons
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	epriestley
	Mar 6 2015, 4:11 PM

Tags

Referenced Files

None

Subscribers

View All 9 Subscribers

Tokens

"Like" token, awarded by 20after4.

Description

When you run phd with a nonstandard umask, it carries through to repository checkouts.

For now, we should probably just force umask to 022 in the PullLocal daemon.

If we eventually decide to sudo all CLI stuff as the daemon user we could use 077, but we have a general assumption that access to the machine is sufficient to at least partially access possibly-sensitive information (e.g., by reading remote URLs out of the process list, accessing APC, or whatever else) and that letting attackers have shells on your production hosts is inadvisable; the not-completely-restrictive 022 umask is consistent with that.

Revisions and Commits

rP Phabricator
	D15721	rP20bad9a4ba9d Reset umask to 022 for all Phabricator processes

Related Objects

Mentioned In: D15721: Reset umask to 022 for all Phabricator processes
T10756: Make daemons work correctly no matter where they are or how many copies are running
D11819: Add phd.umask option to set umask for phd daemons

Event Timeline

epriestley created this task.Mar 6 2015, 4:11 PM

epriestley raised the priority of this task from to Normal.

epriestley updated the task description. (Show Details)

epriestley added a project: Daemons.

epriestley added subscribers: epriestley, • chasemp.

We should probably also set this prior to accepting pushes via HTTP and SSH, so those writes happen under a favorable umask.

• chasemp added a project: Wikimedia.Mar 6 2015, 4:55 PM

Herald added a subscriber: qgil. · View Herald TranscriptMar 6 2015, 4:55 PM

Thanks man!

aklapper added a subscriber: aklapper.Mar 6 2015, 5:49 PM

joshuaspence added a subscriber: joshuaspence.Mar 6 2015, 8:39 PM

jdloft added a subscriber: jdloft.Mar 25 2015, 8:39 PM

liuxinyu970226 added a subscriber: liuxinyu970226.Mar 29 2015, 8:39 AM

DeanBodart moved this task from Backlog to In Progress on the Wikimedia board.Apr 27 2015, 5:13 PM

DeanBodart removed a subscriber: epriestley.

epriestley mentioned this in D11819: Add phd.umask option to set umask for phd daemons.May 17 2015, 2:34 PM

vinzent added a subscriber: vinzent.May 18 2015, 10:42 AM

eadler added a subscriber: eadler.May 22 2015, 6:55 PM

20after4 awarded a token.Sep 28 2015, 8:07 PM

greggrossmeier added a subscriber: greggrossmeier.Dec 2 2015, 6:49 PM

Herald added a subscriber: revi. · View Herald TranscriptDec 2 2015, 6:49 PM

epriestley moved this task from Backlog to Availability on the Daemons board.Apr 8 2016, 9:44 PM

epriestley mentioned this in T10756: Make daemons work correctly no matter where they are or how many copies are running.Apr 8 2016, 9:46 PM

epriestley added a revision: D15721: Reset umask to 022 for all Phabricator processes.Apr 15 2016, 4:43 PM

epriestley mentioned this in D15721: Reset umask to 022 for all Phabricator processes.Apr 15 2016, 4:47 PM

epriestley closed this task as Resolved by committing rP20bad9a4ba9d: Reset umask to 022 for all Phabricator processes.Apr 15 2016, 5:03 PM

epriestley added a commit: rP20bad9a4ba9d: Reset umask to 022 for all Phabricator processes.

liuxinyu970226 removed a subscriber: liuxinyu970226.Apr 30 2016, 12:32 PM