Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/userguide/drydock_security.diviner
@title Drydock User Guide: Security | @title Drydock User Guide: Security | ||||
@group userguide | @group userguide | ||||
Understanding security concerns in Drydock. | Understanding security concerns in Drydock. | ||||
Overview | Overview | ||||
======== | ======== | ||||
Different applications use Drydock for different things, and some of the things | Different applications use Drydock for different things, and some of the things | ||||
they do with Drydock require different levels of trust and access. It is | they do with Drydock require different levels of trust and access. It is | ||||
important to configure Drydock properly so that less trusted code can't do | important to configure Drydock properly so that less trusted code can't do | ||||
anything you aren't comfortable with. | anything you aren't comfortable with. | ||||
For example, running unit tests on Drydock normally involves running relatively | For example, running unit tests on Drydock normally involves running relatively | ||||
untrusted code (it often has a single author and has not yet been reviewed) | untrusted code (it often has a single author and has not yet been reviewed) | ||||
that needs very few capabilities (generally, it only needs to be able to report | that needs very few capabilities (generally, it only needs to be able to report | ||||
results back to Phabricator). In contrast, automating merge requests on Drydock | results back to Phorge). In contrast, automating merge requests on Drydock | ||||
involves running trusted code that needs more access (it must be able to write | involves running trusted code that needs more access (it must be able to write | ||||
to repositories). | to repositories). | ||||
Drydock allows resources to be shared and reused, so it's possible to configure | Drydock allows resources to be shared and reused, so it's possible to configure | ||||
Drydock in a way that gives untrusted code a lot of access by accident. | Drydock in a way that gives untrusted code a lot of access by accident. | ||||
One way Drydock makes allocations faster is by sharing, reusing, and recycling | One way Drydock makes allocations faster is by sharing, reusing, and recycling | ||||
resources. When an application asks Drydock for a working copy, it will try to | resources. When an application asks Drydock for a working copy, it will try to | ||||
Show All 30 Lines | |||||
| Isolation | Suitable For | Description | | Isolation | Suitable For | Description | ||||
|-----------|-----|------- | |-----------|-----|------- | ||||
| Zero | Development | Everything on one host. | | Zero | Development | Everything on one host. | ||||
| Low | Small Installs | Use a dedicated Drydock host. | | Low | Small Installs | Use a dedicated Drydock host. | ||||
| High | Most Installs | **Recommended**. Use low-trust and high-trust pools. | | High | Most Installs | **Recommended**. Use low-trust and high-trust pools. | ||||
| Custom | Special Requirements | Use multiple pools. | | Custom | Special Requirements | Use multiple pools. | ||||
| Absolute | Special Requirements | Completely isolate all resources. | | Absolute | Special Requirements | Completely isolate all resources. | ||||
**Zero Isolation**: Run Drydock operations on the same host that Phabricator | **Zero Isolation**: Run Drydock operations on the same host that Phorge | ||||
runs on. This is only suitable for developing or testing Phabricator. Any | runs on. This is only suitable for developing or testing Phorge. Any | ||||
Drydock operation can potentially compromise Phabricator. It is intentionally | Drydock operation can potentially compromise Phorge. It is intentionally | ||||
difficult to configure Drydock to operate in this mode. Running Drydock | difficult to configure Drydock to operate in this mode. Running Drydock | ||||
operations on the Phabricator host is strongly discouraged. | operations on the Phorge host is strongly discouraged. | ||||
**Low Isolation**: Designate a separate Drydock host and run Drydock | **Low Isolation**: Designate a separate Drydock host and run Drydock | ||||
operations on it. This is suitable for small installs and provides a reasonable | operations on it. This is suitable for small installs and provides a reasonable | ||||
level of isolation. However, it will allow unit tests (which often run | level of isolation. However, it will allow unit tests (which often run | ||||
lower-trust code) to interfere with repository automation operations. | lower-trust code) to interfere with repository automation operations. | ||||
**High Isolation**: Designate two Drydock host pools and run low-trust | **High Isolation**: Designate two Drydock host pools and run low-trust | ||||
operations (like builds) on one pool and high-trust operations (like repository | operations (like builds) on one pool and high-trust operations (like repository | ||||
Show All 23 Lines | |||||
This section will help you understand the threats to a Drydock environment. | This section will help you understand the threats to a Drydock environment. | ||||
Not all threats will be concerning to all installs, and you can choose an | Not all threats will be concerning to all installs, and you can choose an | ||||
approach which defuses only the threats you care about. | approach which defuses only the threats you care about. | ||||
Attackers have three primary targets: | Attackers have three primary targets: | ||||
- capturing hosts; | - capturing hosts; | ||||
- compromising Phabricator; and | - compromising Phorge; and | ||||
- compromising the integrity of other Drydock processes. | - compromising the integrity of other Drydock processes. | ||||
**Attacks against hosts** are the least sophisticated. In this scenario, an | **Attacks against hosts** are the least sophisticated. In this scenario, an | ||||
attacker wants to run a program like a Bitcoin miner or botnet client on | attacker wants to run a program like a Bitcoin miner or botnet client on | ||||
hardware that they aren't paying for or which can't be traced to them. They | hardware that they aren't paying for or which can't be traced to them. They | ||||
write a "unit test" or which launches this software, then send a revision | write a "unit test" or which launches this software, then send a revision | ||||
containing this "unit test" for review. If Phabricator is configured to | containing this "unit test" for review. If Phorge is configured to | ||||
automatically run tests on new revisions, it may execute automatically and give | automatically run tests on new revisions, it may execute automatically and give | ||||
the attacker access to computing resources they did not previously control and | the attacker access to computing resources they did not previously control and | ||||
which can not easily be traced back to them. | which can not easily be traced back to them. | ||||
This is usually only a meaningful threat for open source installs, because | This is usually only a meaningful threat for open source installs, because | ||||
there is a high probability of eventual detection and the value of these | there is a high probability of eventual detection and the value of these | ||||
resources is small, so employees will generally not have an incentive to | resources is small, so employees will generally not have an incentive to | ||||
attempt this sort of attack. The easiest way to prevent this attack is to | attempt this sort of attack. The easiest way to prevent this attack is to | ||||
prevent untrusted, anonymous contributors from running tests. For example, | prevent untrusted, anonymous contributors from running tests. For example, | ||||
create a "Trusted Contributors" project and only run tests if a revision author | create a "Trusted Contributors" project and only run tests if a revision author | ||||
is a member of the project. | is a member of the project. | ||||
**Attacks against Phabricator** are more sophisticated. In this scenario, an | **Attacks against Phorge** are more sophisticated. In this scenario, an | ||||
attacker tries to compromise Phabricator itself (for example, to make themselves | attacker tries to compromise Phorge itself (for example, to make themselves | ||||
an administrator or gain access to an administrator account). | an administrator or gain access to an administrator account). | ||||
This is made possible if Drydock is running on the same host as Phabricator or | This is made possible if Drydock is running on the same host as Phorge or | ||||
runs on a privileged subnet with access to resources like Phabricator database | runs on a privileged subnet with access to resources like Phorge database | ||||
hosts. Most installs should be concerned about this attack. | hosts. Most installs should be concerned about this attack. | ||||
The best way to defuse this attack is to run Drydock processes on a separate | The best way to defuse this attack is to run Drydock processes on a separate | ||||
host which is not on a privileged subnet. For example, use a | host which is not on a privileged subnet. For example, use a | ||||
`build.mycompany.com` host or pool for Drydock processes, separate from your | `build.mycompany.com` host or pool for Drydock processes, separate from your | ||||
`phabricator.mycompany.com` host or pool. | `phorge.mycompany.com` host or pool. | ||||
Even if the host is not privileged, many Drydock processes have some level of | Even if the host is not privileged, many Drydock processes have some level of | ||||
privilege (enabling them to clone repositories, or report test results back to | privilege (enabling them to clone repositories, or report test results back to | ||||
Phabricator). Be aware that tests can hijack credentials they are run with, | Phorge). Be aware that tests can hijack credentials they are run with, | ||||
and potentially hijack credentials given to other processes on the same hosts. | and potentially hijack credentials given to other processes on the same hosts. | ||||
You should use credentials with a minimum set of privileges and assume all | You should use credentials with a minimum set of privileges and assume all | ||||
processes on a host have the highest level of access that any process on the | processes on a host have the highest level of access that any process on the | ||||
host has. | host has. | ||||
**Attacks against Drydock** are the most sophisticated. In this scenario, an | **Attacks against Drydock** are the most sophisticated. In this scenario, an | ||||
attacker uses one Drydock process to compromise a different process: for | attacker uses one Drydock process to compromise a different process: for | ||||
example, a unit test which tampers with a merge or injects code into a build. | example, a unit test which tampers with a merge or injects code into a build. | ||||
▲ Show 20 Lines • Show All 58 Lines • Show Last 20 Lines |
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0