Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/userguide/drydock_security.diviner
| @title Drydock User Guide: Security | @title Drydock User Guide: Security | ||||
| @group userguide | @group userguide | ||||
| Understanding security concerns in Drydock. | Understanding security concerns in Drydock. | ||||
| Overview | Overview | ||||
| ======== | ======== | ||||
| Different applications use Drydock for different things, and some of the things | Different applications use Drydock for different things, and some of the things | ||||
| they do with Drydock require different levels of trust and access. It is | they do with Drydock require different levels of trust and access. It is | ||||
| important to configure Drydock properly so that less trusted code can't do | important to configure Drydock properly so that less trusted code can't do | ||||
| anything you aren't comfortable with. | anything you aren't comfortable with. | ||||
| For example, running unit tests on Drydock normally involves running relatively | For example, running unit tests on Drydock normally involves running relatively | ||||
| untrusted code (it often has a single author and has not yet been reviewed) | untrusted code (it often has a single author and has not yet been reviewed) | ||||
| that needs very few capabilities (generally, it only needs to be able to report | that needs very few capabilities (generally, it only needs to be able to report | ||||
| results back to Phabricator). In contrast, automating merge requests on Drydock | results back to Phorge). In contrast, automating merge requests on Drydock | ||||
| involves running trusted code that needs more access (it must be able to write | involves running trusted code that needs more access (it must be able to write | ||||
| to repositories). | to repositories). | ||||
| Drydock allows resources to be shared and reused, so it's possible to configure | Drydock allows resources to be shared and reused, so it's possible to configure | ||||
| Drydock in a way that gives untrusted code a lot of access by accident. | Drydock in a way that gives untrusted code a lot of access by accident. | ||||
| One way Drydock makes allocations faster is by sharing, reusing, and recycling | One way Drydock makes allocations faster is by sharing, reusing, and recycling | ||||
| resources. When an application asks Drydock for a working copy, it will try to | resources. When an application asks Drydock for a working copy, it will try to | ||||
| Show All 30 Lines | |||||
| | Isolation | Suitable For | Description | | Isolation | Suitable For | Description | ||||
| |-----------|-----|------- | |-----------|-----|------- | ||||
| | Zero | Development | Everything on one host. | | Zero | Development | Everything on one host. | ||||
| | Low | Small Installs | Use a dedicated Drydock host. | | Low | Small Installs | Use a dedicated Drydock host. | ||||
| | High | Most Installs | **Recommended**. Use low-trust and high-trust pools. | | High | Most Installs | **Recommended**. Use low-trust and high-trust pools. | ||||
| | Custom | Special Requirements | Use multiple pools. | | Custom | Special Requirements | Use multiple pools. | ||||
| | Absolute | Special Requirements | Completely isolate all resources. | | Absolute | Special Requirements | Completely isolate all resources. | ||||
| **Zero Isolation**: Run Drydock operations on the same host that Phabricator | **Zero Isolation**: Run Drydock operations on the same host that Phorge | ||||
| runs on. This is only suitable for developing or testing Phabricator. Any | runs on. This is only suitable for developing or testing Phorge. Any | ||||
| Drydock operation can potentially compromise Phabricator. It is intentionally | Drydock operation can potentially compromise Phorge. It is intentionally | ||||
| difficult to configure Drydock to operate in this mode. Running Drydock | difficult to configure Drydock to operate in this mode. Running Drydock | ||||
| operations on the Phabricator host is strongly discouraged. | operations on the Phorge host is strongly discouraged. | ||||
| **Low Isolation**: Designate a separate Drydock host and run Drydock | **Low Isolation**: Designate a separate Drydock host and run Drydock | ||||
| operations on it. This is suitable for small installs and provides a reasonable | operations on it. This is suitable for small installs and provides a reasonable | ||||
| level of isolation. However, it will allow unit tests (which often run | level of isolation. However, it will allow unit tests (which often run | ||||
| lower-trust code) to interfere with repository automation operations. | lower-trust code) to interfere with repository automation operations. | ||||
| **High Isolation**: Designate two Drydock host pools and run low-trust | **High Isolation**: Designate two Drydock host pools and run low-trust | ||||
| operations (like builds) on one pool and high-trust operations (like repository | operations (like builds) on one pool and high-trust operations (like repository | ||||
| Show All 23 Lines | |||||
| This section will help you understand the threats to a Drydock environment. | This section will help you understand the threats to a Drydock environment. | ||||
| Not all threats will be concerning to all installs, and you can choose an | Not all threats will be concerning to all installs, and you can choose an | ||||
| approach which defuses only the threats you care about. | approach which defuses only the threats you care about. | ||||
| Attackers have three primary targets: | Attackers have three primary targets: | ||||
| - capturing hosts; | - capturing hosts; | ||||
| - compromising Phabricator; and | - compromising Phorge; and | ||||
| - compromising the integrity of other Drydock processes. | - compromising the integrity of other Drydock processes. | ||||
| **Attacks against hosts** are the least sophisticated. In this scenario, an | **Attacks against hosts** are the least sophisticated. In this scenario, an | ||||
| attacker wants to run a program like a Bitcoin miner or botnet client on | attacker wants to run a program like a Bitcoin miner or botnet client on | ||||
| hardware that they aren't paying for or which can't be traced to them. They | hardware that they aren't paying for or which can't be traced to them. They | ||||
| write a "unit test" or which launches this software, then send a revision | write a "unit test" or which launches this software, then send a revision | ||||
| containing this "unit test" for review. If Phabricator is configured to | containing this "unit test" for review. If Phorge is configured to | ||||
| automatically run tests on new revisions, it may execute automatically and give | automatically run tests on new revisions, it may execute automatically and give | ||||
| the attacker access to computing resources they did not previously control and | the attacker access to computing resources they did not previously control and | ||||
| which can not easily be traced back to them. | which can not easily be traced back to them. | ||||
| This is usually only a meaningful threat for open source installs, because | This is usually only a meaningful threat for open source installs, because | ||||
| there is a high probability of eventual detection and the value of these | there is a high probability of eventual detection and the value of these | ||||
| resources is small, so employees will generally not have an incentive to | resources is small, so employees will generally not have an incentive to | ||||
| attempt this sort of attack. The easiest way to prevent this attack is to | attempt this sort of attack. The easiest way to prevent this attack is to | ||||
| prevent untrusted, anonymous contributors from running tests. For example, | prevent untrusted, anonymous contributors from running tests. For example, | ||||
| create a "Trusted Contributors" project and only run tests if a revision author | create a "Trusted Contributors" project and only run tests if a revision author | ||||
| is a member of the project. | is a member of the project. | ||||
| **Attacks against Phabricator** are more sophisticated. In this scenario, an | **Attacks against Phorge** are more sophisticated. In this scenario, an | ||||
| attacker tries to compromise Phabricator itself (for example, to make themselves | attacker tries to compromise Phorge itself (for example, to make themselves | ||||
| an administrator or gain access to an administrator account). | an administrator or gain access to an administrator account). | ||||
| This is made possible if Drydock is running on the same host as Phabricator or | This is made possible if Drydock is running on the same host as Phorge or | ||||
| runs on a privileged subnet with access to resources like Phabricator database | runs on a privileged subnet with access to resources like Phorge database | ||||
| hosts. Most installs should be concerned about this attack. | hosts. Most installs should be concerned about this attack. | ||||
| The best way to defuse this attack is to run Drydock processes on a separate | The best way to defuse this attack is to run Drydock processes on a separate | ||||
| host which is not on a privileged subnet. For example, use a | host which is not on a privileged subnet. For example, use a | ||||
| `build.mycompany.com` host or pool for Drydock processes, separate from your | `build.mycompany.com` host or pool for Drydock processes, separate from your | ||||
| `phabricator.mycompany.com` host or pool. | `phorge.mycompany.com` host or pool. | ||||
| Even if the host is not privileged, many Drydock processes have some level of | Even if the host is not privileged, many Drydock processes have some level of | ||||
| privilege (enabling them to clone repositories, or report test results back to | privilege (enabling them to clone repositories, or report test results back to | ||||
| Phabricator). Be aware that tests can hijack credentials they are run with, | Phorge). Be aware that tests can hijack credentials they are run with, | ||||
| and potentially hijack credentials given to other processes on the same hosts. | and potentially hijack credentials given to other processes on the same hosts. | ||||
| You should use credentials with a minimum set of privileges and assume all | You should use credentials with a minimum set of privileges and assume all | ||||
| processes on a host have the highest level of access that any process on the | processes on a host have the highest level of access that any process on the | ||||
| host has. | host has. | ||||
| **Attacks against Drydock** are the most sophisticated. In this scenario, an | **Attacks against Drydock** are the most sophisticated. In this scenario, an | ||||
| attacker uses one Drydock process to compromise a different process: for | attacker uses one Drydock process to compromise a different process: for | ||||
| example, a unit test which tampers with a merge or injects code into a build. | example, a unit test which tampers with a merge or injects code into a build. | ||||
| ▲ Show 20 Lines • Show All 58 Lines • Show Last 20 Lines | |||||
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0