Phabricator's config file is world readable:
-rw-r--r-- 1 root root 7120 Sep 14 00:42 local.json
This file needs to be read by the web server process and by the phabricator daemons.
- We can improve this slightly by making phd a member of the www-data group and changing this file to 640.
- We can further improve the situation by sandboxing repository operations to a mysql account that only has access to phabricator_repository and phabricator_daemon databases.
We can put different mysql credentials in different config files by using phabricator config environments ( described here ). Then we can have different permissions on each version of the config file.