In the Wikimedia setup of Mediawiki we wrap the execution of several external commands via firejail to mitigate the fallout of exploitable security bugs in the executed tools. This happens via local wrappers like /usr/local/bin/mediawiki-firejail-convert. It works fine for our setup. but is probably too complex for smaller installations, so Mediawiki should support this out of the box. Here's what I was thinking:
- Make the containment solution configurable (we use firejail and this is what would be initially supported. but there's also other tools like bubblewrap). When running mediawiki on an OS where no containment solution is installed by default (e.g. Windows) and if no tool is being installed it would simply not contain the execution at all.
- Identify common use cases for wrapped command execution. I think we'd need at least
- Restricted execution without network access (e.g. "no-network")
- Restricted execution with network access (e.g. "network")
- Unrestricted execution (e.g. "unstricted")
- Provide profiles for the use cases above (can be held generic. for firejail they would point to profile files we ship as part of the mediawiki installation)
- Add a new function wfShellExecRestricted( $cmd , $retval, $profile) (so similar to wfShellExec but with an additional profile option)
- Mark wfShellExec() as deprecated, existing uses would need to be converted to wfShellExecRestricted()