Change Details

The **core setup never speak about how to change the daemon user**. I would even say noone ever see it is possible until one try to self host one and see one must sudo `vcs.user` to `phd.user`. We all know running process as root is bad practice but it isn't end of the world for basic phabricator daemons. It starts getting worst when we configure hosting : although all the trust I have for phabricator, I then fear that someone can use the fact I misconfigured something to escalate to root. But then **switching to another user isn't as simple as setting a new phd.user and doing `bin/phd restart`**. For multiple reasons : - the `phd` command cannot stop `root` daemons since `phd` command then cannot sudo to `phd.user` - even if we stop first then change then start, `/var/tmp/phd` will not be writeable - `phd.user` does not seems to like system users (created with useradd - r, without login shell, without home) and I don't understand why - nothing is documented, and the `bin/phd` command gives cryptic errors like "sudo failed. Launching with current user instead" and this even with `--trace` argument. So, I plan to **greatly help OSX/NSX** (Old/New Sysadmin eXperience) and thus to : - write a short documentation for installation guide (since it is much easier to directly launch as the right user) - write a longer documentation with troubleshoting, better chmod scheme for special case (hosting, file-storage) - improve setup with the following issue (change phduser - can safely be ignored, /var/tmp/phd not writeable, system user without logging shell). - improve bin/phd logging on exception @epriestley : what do you think. Would you accept such a proposal?

The **core setup never speak about how to change the daemon user**. I would even say noone ever see it is possible until one try to self host one and see one must sudo `vcs.user` to `phd.user`. We all know running process as root is bad practice but it isn't end of the world for basic phabricator daemons. It starts getting worst when we configure hosting : although all the trust I have for phabricator, I then fear that someone can use the fact I misconfigured something to escalate to root. But then **switching to another user isn't as simple as setting a new phd.user and doing `bin/phd restart`**. For multiple reasons : - the `phd` command cannot stop `root` daemons since `phd` command then cannot sudo to `phd.user` - even if we stop first then change then start, `/var/tmp/phd` will not be writeable - `phd.user` does not seems to like system users (created with `useradd - r`, without login shell, without home) and I don't understand why - nothing is documented, and the `bin/phd` command gives cryptic errors like "sudo failed. Launching with current user instead" and this even with `--trace` argument. So, I plan to **greatly help OSX/NSX** (Old/New Sysadmin eXperience) and thus to : - write a short documentation for installation guide (since it is much easier to directly launch as the right user) - write a longer documentation with troubleshoting, better chmod scheme for special case (hosting, file-storage) - improve setup with the following issue (change phduser - can safely be ignored, /var/tmp/phd not writeable, system user without logging shell). - improve bin/phd logging on exception @epriestley : what do you think. Would you accept such a proposal?

The **core setup never speak about how to change the daemon user**. I would even say noone ever see it is possible until one try to self host one and see one must sudo `vcs.user` to `phd.user`. We all know running process as root is bad practice but it isn't end of the world for basic phabricator daemons. It starts getting worst when we configure hosting : although all the trust I have for phabricator, I then fear that someone can use the fact I misconfigured something to escalate to root. But then **switching to another user isn't as simple as setting a new phd.user and doing `bin/phd restart`**. For multiple reasons : - the `phd` command cannot stop `root` daemons since `phd` command then cannot sudo to `phd.user` - even if we stop first then change then start, `/var/tmp/phd` will not be writeable - `phd.user` does not seems to like system users (created with `useradd - r`, without login shell, without home) and I don't understand why - nothing is documented, and the `bin/phd` command gives cryptic errors like "sudo failed. Launching with current user instead" and this even with `--trace` argument. So, I plan to **greatly help OSX/NSX** (Old/New Sysadmin eXperience) and thus to : - write a short documentation for installation guide (since it is much easier to directly launch as the right user) - write a longer documentation with troubleshoting, better chmod scheme for special case (hosting, file-storage) - improve setup with the following issue (change phduser - can safely be ignored, /var/tmp/phd not writeable, system user without logging shell). - improve bin/phd logging on exception @epriestley : what do you think. Would you accept such a proposal?