The core setup never speak about how to change the daemon user.
We all know running process as root is bad practice but it isn't end of the world for basic phabricator daemons. It starts getting worst when we configure hosting : although all the trust I have for phabricator, I then fear that someone can use the fact I misconfigured something to escalate to root.
But then switching to another user isn't as simple as setting a new phd.user and doing bin/phd restart. For multiple reasons :
- the phd command cannot stop root daemons since phd no sidor to phd.user
- even if we stop first then change then start, /var/tmp/phd will not be writeable
- phd does not seems to like system users (created with useradd - r, without login shell, without home)
- nothing is documented, and the bin/phd command gives cryptic errors like "sudo failed. Launching with current user instead" and this even with --trace.
So, I plan to greatly help OSX/NSX (Old/New Sysadmin eXperience) and thus to :
- write a short documentation for installation guide (since it is much easier to directly launch as the right user)
- write a longer documentation with troubleshoting, better chmod scheme for special case (hosting, file-storage)
- improve setup with the following issue (change phduser - can safely be ignored, /var/tmp/phd not writeable, system user without logging shell).
- improve bin/phd logging on exception
@epriestley : what do you think. Would you accept such a proposal?