<epriestley> Negative24: all of phabricator needs to be readable by the vcs-user, the phd user, and the web user, since they all
<epriestley> None of them need to own it, so long as they can read/execute it.
Its causing problems with some SSH scripts needed for Gerrit-Migration
In modules/phabricator/manifests/init.pp, line 177:
mode => '0754',
@chasemp, Is there a specific reason this is set?
Do they need to be locked down? We can just change the group privs to something phd is a member of.
They do as it's not at all obvious to ppl that any shell account without this permissioning can do damage to phabricator.
A good example is /srv/phab/phabricator/scripts/daemon where we already permission for phd etc
btw what project on labs is phab-02 in? was hoping to take a look at the differential setup there
@chasemp Its in the Phabricator project. Phab-02 was an old model that I was going off of while writing https://gerrit.wikimedia.org/r/#/c/222987/. Phab-pup-test has that role enabled and is the most current with the Differential/Diffusion (just realized I've been using the wrong name) setup.
Going to leave this for @chasemp. I'm not going to try anything until Gerrit-Migration calls for it.
We have functional diffusion hosting and differential now. what was the catalyst for the change?
I believe the VCS user couldn't execute the script that is responsible for checking SSH keys against the Phabricator database which blocked users from authenticating.
hm, seems to be working now in our setup. I'm going to close but let's reopen if we can surface the issue.