Page MenuHomePhabricator
Create Task
Maniphest T146055

Improve privilege separation for phabricator's config files and mysql credentials
Closed, ResolvedPublic
Actions

Description

Phabricator's config file is world readable:

-rw-r--r-- 1 root        root        7120 Sep 14 00:42 local.json

This file needs to be read by the web server process and by the phabricator daemons.

  1. We can improve this slightly by making phd a member of the www-data group and changing this file to 640.
  2. We can further improve the situation by sandboxing repository operations to a mysql account that only has access to phabricator_repository and phabricator_daemon databases.

We can put different mysql credentials in different config files by using phabricator config environments ( described here ). Then we can have different permissions on each version of the config file.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Phabricator: use a separate mysql user for phd daemonsoperations/puppetproduction+5 -4
phabricator: Add new db user for the daemon, separate from web request useroperations/puppetproduction+59 -0
Phabricator: Don't use vcs group, use phdoperations/puppetproduction+8 -9
phabricator: make vcs user a member of phd groupoperations/puppetproduction+3 -8
phabricator: PHABRICATOR_ENV for vcs serviceoperations/puppetproduction+19 -1
Enable multiple config files in phabricatoroperations/puppetproduction+93 -3
Customize query in gerrit

Revisions and Commits

Restricted Differential Revision

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 19 2016, 5:05 PM
mmodell claimed this task.Sep 19 2016, 5:09 PM
mmodell triaged this task as High priority.
mmodell added parent tasks: T143971: Allow easy replication of existing github/bitbucket repos, T143969: Unable to mirror repository from git.legoktm.com into diffusion.
mmodell added subscribers: chasemp, faidon, bd808 and 2 others.
greg subscribed.Sep 19 2016, 5:13 PM
chasemp added a subscriber: jcrespo.Sep 19 2016, 5:22 PM

A small note, this is the app_pass under passwords::mysql::phabricator which is for the phuser acccount and not phadmin. We'll want to coordinate with @jcrespo to change this pretty soon here. Thanks @20after4

jcrespo added a comment.Sep 19 2016, 6:03 PM

Just tell me when so I can make sure client and server change the password at the same time. By experience, it usually requires connection closing as phabricator makes usage of heavy connection pooling.

mmodell added a comment.Sep 19 2016, 7:44 PM

@chasemp, @jcrespo: it's not just about changing the password, I think we need to add a new mysql account for PhabricatorRepositoryPullLocalDaemon, which can be more limited than phuser. At least that seems like the best way to segment the repository operations from potential privilege escalation in case of an attack on git.

It looks like the repository daemon only needs access to read/write on phabricator_repository and phabricator_daemon databases. So we could, at least in theory, run the repository daemons on a separate mysql account that is limited to just those.

To deal with the permissions on the config file we probably need to add the phd user to the www-data group and then chmod 640 phabricator/conf/local/local.json

mmodell renamed this task from phabricator config (local.json) is world-readable and contains mysql password to Improve privilege separation for phabricator's config files and mysql credentials.Sep 19 2016, 7:51 PM
mmodell updated the task description. (Show Details)
chasemp added a comment.Sep 21 2016, 2:38 PM

@mmodell any luck? Most of us are going to have slim availability starting Friday 9/23 FYI.

chasemp added a comment.Nov 2 2016, 2:07 PM
In T146055#2656048, @chasemp wrote:

@mmodell any luck? Most of us are going to have slim availability starting Friday 9/23 FYI.

friendly ping :)

mmodell added a comment.Nov 14 2016, 9:08 PM

@chasemp: sorry I seem to have let this one slip, I will see if I can put together a patch for this.

mmodell added a comment.Nov 15 2016, 1:56 PM

https://gerrit.wikimedia.org/r/#/c/321654/

mmodell added a subscriber: Dzahn.Nov 15 2016, 7:48 PM

I think this is all ready to go but I'd appreciate some code review on the puppet patch. The supporting changes in phabricator will be deployed tomorrow during the scheduled upgrade: Phabricator (2016-11-16)

mmodell added a comment.EditedNov 15 2016, 8:01 PM

So here's a high-level view of what I've done with the linked changes:

  1. In 41a7167f9cfb and f38f9e13fd69, I Slightly patched phabricator to support reading from multiple json config files based on the environment variable PHABRICATOR_ENV. The default behavior of PHABRICATOR_ENV previously caused phabricator to look for a php file that returns an array. json is cleaner and the patch to phabricator core is clean / safe.
  2. https://gerrit.wikimedia.org/r/#/c/321654/ Moves the mysql configuration parameters to separate conf/local/phd.json and conf/local/www.json so now we have 3 config files which have permissions as follows.
fileusergidmode
local.jsonrootwww-data0644
www.jsonrootwww-data0640
phd.jsonrootphd0640
  1. I added the phd user to the www-data group so that the daemons can read local.json
daemon-config maplocal.jsonphd.jsonwww.json
phd daemons
apache/php

So this solves the world-readable problem and it will allow us to use separate credentials for phd and www.

mmodell added a comment.Nov 17 2016, 1:56 AM

Ok all that remains now is to create a new password, change the password in mysql, and put it in puppet/private.git

I believe we need help from a dba for the mysql part. @jcrespo?

Dzahn added a comment.Nov 17 2016, 6:27 AM

ACK, we reviewed, amended, merged and deployed together:

"Enable multiple config files in phabricator" (20after4) (https://gerrit.wikimedia.org/r/#/c/321654/)
"rename iridium-vcs to phab1001-vcs" (Dzahn) (https://gerrit.wikimedia.org/r/#/c/317290/)
"Move config for git-ssh(phabricator) to hiera" (20after4) (https://gerrit.wikimedia.org/r/#/c/318662/)
"conftool/phabricator: replace iridium-vcs with phab1001-vcs" (Paladox) (https://gerrit.wikimedia.org/r/#/c/322034/)
"phabricator: PHABRICATOR_ENV for vcs service" (20after4) (https://gerrit.wikimedia.org/r/#/c/322041/)
"phabricator: make vcs user a member of phd group" (20after4) (https://gerrit.wikimedia.org/r/#/c/322042/)
"phabricator: fix one stray PHABRICATOR_ENV=vcs" (20after4) (https://gerrit.wikimedia.org/r/#/c/322044/)

nice progress and team work

jcrespo added a comment.Nov 17 2016, 8:49 AM
In T146055#2801400, @mmodell wrote:

I believe we need help from a dba for the mysql part. @jcrespo?

This applies now: T146055#2649519 :-)

mmodell added a comment.Nov 17 2016, 10:27 PM

@jcrespo: indeed, https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/role/manifests/phabricator/main.pp;057bc7cb238c4c55e2a33e93eed65c99e5b95057$41 is where the username/pasword is set. Currently the two config files have the same username/password but it's a simple thing to change and store the new credentials in puppet/private.git

mmodell mentioned this in T151059: Pushing to diffusion git repo fails.Nov 18 2016, 2:27 PM
mmodell added a revision: Restricted Differential Revision.Nov 18 2016, 4:47 PM
mmodell added a subtask: Restricted Task.Nov 21 2016, 6:04 AM
mmodell added a subtask: T151229: Unable to issue email commands nor reply to Tasks since the last UI update.Nov 22 2016, 1:11 AM
Aklapper closed subtask Restricted Task as Resolved.Nov 25 2016, 10:50 AM
mmodell mentioned this in T143969: Unable to mirror repository from git.legoktm.com into diffusion.Dec 4 2016, 2:59 AM
mmodell lowered the priority of this task from High to Medium.Dec 5 2016, 1:49 PM
mmodell added a project: Phabricator.Dec 5 2016, 1:51 PM

I'm removing the security policy on this task as the file with credentials is no longer world readable. This task only remains open because we still need to set up separate sql account usernames for the various phabricaor daemons/processes.

mmodell changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 5 2016, 1:51 PM
mmodell changed Security from Software security bug to None.
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptDec 5 2016, 1:51 PM
Paladox moved this task from To Triage to Misc on the Phabricator board.Feb 17 2017, 4:57 PM
jcrespo added a parent task: Restricted Task.Feb 20 2017, 4:39 PM
mmodell changed the task status from Open to Stalled.Mar 15 2017, 9:51 PM
mmodell removed mmodell as the assignee of this task.

unassigning as there is nothing more I can do here.

Dzahn added a comment.Mar 15 2017, 11:15 PM

should this ticket have DBA tag?

mmodell added a project: DBA.Mar 15 2017, 11:41 PM
In T146055#3104429, @Dzahn wrote:

should this ticket have DBA tag?

Yeah probably so...

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:40 PM
Bawolff moved this task from Backlog / Other to Operational issues on the acl*security board.Dec 10 2017, 3:46 PM
1978Gage2001 moved this task from Triage to In progress on the DBA board.Dec 11 2017, 9:45 AM
Marostegui moved this task from In progress to Triage on the DBA board.Dec 11 2017, 11:06 AM
mmodell added a comment.Dec 11 2017, 7:14 PM

Upon further reflection, I suspect that it won't work to sandbox the repository operations to just those databases - operations on repositories might trigger other operations which need to touch other databases such as closing tasks when the closes: Tnnn action is detected in a commit message. It would be difficult to isolate all the possible databases that a repo daemon might need and I suspect we wouldn't gain much security from such isolation after all.

jcrespo added a comment.Feb 7 2018, 3:39 PM

We need to catch up on a lot of pending DBA-phabricator tasks (this, some pending failovers, upgrades to strech/mariadb 10.1) and proxyies, codfw deplyment. Let's try to schedule some time to do all of those, but for now it will have to wait as we have other important fires going on.

mmodell claimed this task.Feb 17 2018, 6:49 PM
Restricted Application added a project: Release-Engineering-Team (Kanban). · View Herald TranscriptFeb 17 2018, 6:49 PM
mmodell added a comment.Feb 17 2018, 6:51 PM

@jcrespo: just let me know when you are available, I'll be glad to get to work with you on any phabricator tasks.

Paladox subscribed.Feb 17 2018, 6:52 PM
mmodell moved this task from Backlog to Blocked (externally) on the Release-Engineering-Team (Kanban) board.Apr 23 2018, 4:27 PM
jcrespo added a comment.Jun 15 2018, 3:14 PM

I am now more available, this should be added to the lists of things to discuss.

jcrespo moved this task from Triage to Backlog on the DBA board.Jun 15 2018, 3:15 PM
Aklapper moved this task from Misc to Database fiddling on the Phabricator board.Aug 29 2018, 6:05 PM
mmodell added a project: User-MModell.Sep 10 2018, 4:51 PM
mmodell moved this task from Backlog to Blocked or Stalled on the User-MModell board.Sep 10 2018, 4:57 PM
Alroilim closed this task as Declined.Feb 2 2019, 7:18 PM
Alroilim removed projects: User-MModell, Release-Engineering-Team (Kanban), DBA, Phabricator, acl*security.
Alroilim updated the task description. (Show Details)
Paladox reopened this task as Stalled.Feb 2 2019, 7:32 PM
Paladox removed mmodell as the assignee of this task.
Paladox added projects: Release-Engineering-Team, Phabricator, acl*security, User-MModell, DBA.
Paladox updated the task description. (Show Details)
Paladox removed a subscriber: dpatrick.
Dzahn added a project: serviceops.Feb 4 2019, 5:57 PM
greg moved this task from INBOX to Backlog on the Release-Engineering-Team board.Mar 5 2019, 12:43 AM
greg edited projects, added Release-Engineering-Team (Backlog); removed Release-Engineering-Team.
Phabricator_maintenance edited projects, added Release-Engineering-Team-TODO; removed Release-Engineering-Team (Backlog).Jun 12 2019, 11:52 PM
Phabricator_maintenance moved this task from Should be empty (use Release-Engineering-Team) to Later / Need volunteer on the Release-Engineering-Team-TODO board.Jun 12 2019, 11:55 PM
fsero moved this task from Incoming 🐫 to Stalled 🐌 on the serviceops board.Jun 20 2019, 2:23 PM
Joe moved this task from Stalled 🐌 to Incoming 🐫 on the serviceops board.Jun 21 2019, 8:46 AM
greg added a project: Release-Engineering-Team.Jun 21 2019, 10:35 PM
greg edited projects, added Release-Engineering-Team (Development services); removed Release-Engineering-Team.Jun 24 2019, 7:50 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
mmodell mentioned this in T250361: replace phabricator db passwords with longer passwords.May 19 2020, 5:17 AM
mmodell added a comment.Aug 12 2020, 7:20 AM

The next step here is to create a $passwords::mysql::phabricator::phd_pass and update the phabricator manifest to use that password for phd. Once the password exists, it's a simple change to make phabricator use it for the phd daemon processes. See rOPUP /modules/profile/manifests/phabricator/main.pp$162

jcrespo added a comment.Aug 12 2020, 8:47 AM

I've created $passwords::mysql::phabricator::phd_pass on the private repo, but not sure which mysql user this will correspond to?

jijiki moved this task from Incoming 🐫 to cross-team active on the serviceops board.Aug 17 2020, 11:48 PM
gerritbot added a comment.Aug 18 2020, 5:52 AM

Change 620822 had a related patch set uploaded (by 20after4; owner: 20after4):
[operations/puppet@production] Phabricator: use a separate mysql user for phd daemons

https://gerrit.wikimedia.org/r/620822

gerritbot added a project: Patch-For-Review.Aug 18 2020, 5:52 AM
gerritbot added a comment.Aug 18 2020, 6:20 AM

Change 620822 merged by Jcrespo:
[operations/puppet@production] Phabricator: use a separate mysql user for phd daemons

https://gerrit.wikimedia.org/r/620822

Stashbot added a comment.Aug 18 2020, 6:21 AM

Mentioned in SAL (#wikimedia-operations) [2020-08-18T06:21:13Z] <jynus> deploy password change to phabricator service T146055

Maintenance_bot removed a project: Patch-For-Review.Aug 18 2020, 7:10 AM
jcrespo changed the task status from Stalled to Open.Aug 18 2020, 7:47 AM
gerritbot added a comment.Aug 18 2020, 7:48 AM

Change 620879 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] phabricator: Add new db user for the daemon, separate from web request user

https://gerrit.wikimedia.org/r/620879

gerritbot added a project: Patch-For-Review.Aug 18 2020, 7:48 AM
jcrespo added a comment.Aug 18 2020, 7:55 AM

This is done: https://gerrit.wikimedia.org/r/c/operations/puppet/+/620879 Anything pending other than merging that?

gerritbot added a comment.Aug 18 2020, 8:44 AM

Change 620879 merged by Jcrespo:
[operations/puppet@production] phabricator: Add new db user for the daemon, separate from web request user

https://gerrit.wikimedia.org/r/620879

Maintenance_bot removed a project: Patch-For-Review.Aug 18 2020, 9:11 AM
jcrespo moved this task from Backlog to Done on the DBA board.Aug 24 2020, 3:42 PM
Marostegui closed this task as Resolved.Sep 1 2020, 6:46 AM
Marostegui assigned this task to jcrespo.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits