Page MenuHomePhabricator

Changing phd.user seems poorly documented and overall a bad sysadmin experience
Closed, WontfixPublic

Description

The core setup never speak about how to change the daemon user. I would even say noone ever see it is possible until one try to self host one and see one must sudo vcs.user to phd.user.

We all know running process as root is bad practice but it isn't end of the world for basic phabricator daemons. It starts getting worst when we configure hosting : although all the trust I have for phabricator, I then fear that someone can use the fact I misconfigured something to escalate to root.

But then switching to another user isn't as simple as setting a new phd.user and doing bin/phd restart. For multiple reasons :

  • the phd command cannot stop root daemons since phd command then cannot sudo to phd.user
  • even if we stop first then change then start, /var/tmp/phd will not be writeable
  • phd.user does not seems to like system users (created with useradd - r, without login shell, without home) and I don't understand why
  • nothing is documented, and the bin/phd command gives cryptic errors like "sudo failed. Launching with current user instead" and this even with --trace argument.

So, I plan to greatly help OSX/NSX (Old/New Sysadmin eXperience) and thus to :

  • write a short documentation for installation guide (since it is much easier to directly launch as the right user)
  • write a longer documentation with troubleshoting, better chmod scheme for special case (hosting, file-storage)
  • improve setup with the following issue (change phduser - can safely be ignored, /var/tmp/phd not writeable, system user without logging shell).
  • improve bin/phd logging on exception

@epriestley : what do you think. Would you accept such a proposal?