Page MenuHomePhabricator
Create Task
Maniphest T173370

Support restricted execution of external commands (via firejail)
Closed, ResolvedPublic
Actions

Description

In the Wikimedia setup of Mediawiki we wrap the execution of several external commands via firejail to mitigate the fallout of exploitable security bugs in the executed tools. This happens via local wrappers like /usr/local/bin/mediawiki-firejail-convert. It works fine for our setup. but is probably too complex for smaller installations, so Mediawiki should support this out of the box. Here's what I was thinking:

  • Make the containment solution configurable (we use firejail and this is what would be initially supported. but there's also other tools like bubblewrap). When running mediawiki on an OS where no containment solution is installed by default (e.g. Windows) and if no tool is being installed it would simply not contain the execution at all.
  • Identify common use cases for wrapped command execution. I think we'd need at least
    • Restricted execution without network access (e.g. "no-network")
    • Restricted execution with network access (e.g. "network")
    • Unrestricted execution (e.g. "unstricted")
  • Provide profiles for the use cases above (can be held generic. for firejail they would point to profile files we ship as part of the mediawiki installation)
  • Add a new function wfShellExecRestricted( $cmd , $retval, $profile) (so similar to wfShellExec but with an additional profile option)
  • Mark wfShellExec() as deprecated, existing uses would need to be converted to wfShellExecRestricted()

Details

SubjectRepoBranchLines +/-
shell: Optionally restrict commands' access with firejailmediawiki/coremaster+402 -4
Set $wgRestrictionMethod = 'firejail'; everywhereoperations/mediawiki-configmaster+4 -0
Allow shell commands to restrict network accessmediawiki/coremaster+69 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Aug 15 2017, 2:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2017, 2:05 PM
Legoktm added a project: MediaWiki-General.Aug 15 2017, 8:08 PM
Legoktm added subscribers: MaxSem, Legoktm.

This sounds pretty cool to me. We probably want to land @MaxSem 's refactor of wfShellExec() into a class first before adding new functionality: https://gerrit.wikimedia.org/r/#/c/319505/

Bawolff awarded a token.Aug 15 2017, 8:13 PM
Bawolff added a project: Security-Team.
Bawolff subscribed.
Nikerabbit subscribed.Aug 16 2017, 6:07 AM
dpatrick awarded a token.Aug 17 2017, 5:59 PM
dpatrick subscribed.
faidon awarded a token.Aug 23 2017, 1:30 AM
Legoktm claimed this task.Oct 4 2017, 2:34 AM
CCicalese_WMF moved this task from Inbox to MWPT-Q2-Oct-Dec-2017 on the MediaWiki-Platform-Team-Archived board.Oct 13 2017, 9:21 PM
CCicalese_WMF edited projects, added MediaWiki-Platform-Team-Archived (MWPT-Q2-Oct-Dec-2017); removed MediaWiki-Platform-Team-Archived.
Legoktm renamed this task from Support restricted execution of external commands to Support restricted execution of external commands (via firejail).Oct 17 2017, 7:38 PM
gerritbot subscribed.Oct 18 2017, 7:04 AM

Change 384930 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] [POC] Optionally restrict commands with firejail

https://gerrit.wikimedia.org/r/384930

gerritbot added a project: Patch-For-Review.Oct 18 2017, 7:04 AM
gerritbot added a comment.Oct 20 2017, 2:35 AM

Change 384931 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] Allow shell commands to restrict network access

https://gerrit.wikimedia.org/r/384931

gerritbot added a comment.Oct 20 2017, 2:42 AM

Change 384931 abandoned by Legoktm:
Allow shell commands to restrict network access

Reason:
squashed into parent

https://gerrit.wikimedia.org/r/384931

Legoktm moved this task from Ready to In Progress on the MediaWiki-Platform-Team-Archived (MWPT-Q2-Oct-Dec-2017) board.Oct 20 2017, 11:47 PM
Legoktm mentioned this in T179021: Investigate using firejail to replace limits.sh if it's installed.Oct 25 2017, 5:35 PM
gerritbot added a comment.Nov 28 2017, 12:14 AM

Change 384930 merged by jenkins-bot:
[mediawiki/core@master] shell: Optionally restrict commands' access with firejail

https://gerrit.wikimedia.org/r/384930

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 28 2017, 1:00 AM
Legoktm added a comment.Nov 28 2017, 5:41 PM

The core framework has been merged, I'll file subtasks to convert Wikimedia's manual firejailing over to use it and then I think we can close this.

Legoktm created subtask T181535: Convert Score binaries to use MediaWiki shell restrictions.Nov 28 2017, 6:00 PM
gerritbot added a comment.Nov 28 2017, 6:50 PM

Change 393825 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[operations/mediawiki-config@master] Set $wgRestrictionMethod = 'firejail'; everywhere

https://gerrit.wikimedia.org/r/393825

Legoktm added a comment.Dec 4 2017, 4:33 AM

Documented at https://www.mediawiki.org/wiki/Manual:Shell_framework#Restrictions and https://www.mediawiki.org/wiki/Manual:$wgShellRestrictionMethod

gerritbot added a comment.Dec 4 2017, 7:14 PM

Change 393825 merged by jenkins-bot:
[operations/mediawiki-config@master] Set $wgRestrictionMethod = 'firejail'; everywhere

https://gerrit.wikimedia.org/r/393825

Stashbot subscribed.Dec 4 2017, 7:17 PM

Mentioned in SAL (#wikimedia-operations) [2017-12-04T19:17:12Z] <legoktm@tin> Synchronized wmf-config/InitialiseSettings.php: Set $wgRestrictionMethod = 'firejail'; everywhere (T173370) (duration: 00m 43s)

Smalyshev subscribed.Dec 5 2017, 1:22 AM

This looks pretty cool, however this requires every client to manually set up restrictions. Which is pretty easy to forget or to be completely unaware such feature even exists. I wonder if we shouldn't have default settings, that apply to every shell invocation, unless the client specifically invokes different one? Or maybe even stronger, a configured mandatory mask that applies to every shell invocation in general (e.g., nobody ever gets root or /dev access, no matter how much they ask, but if they ask explicitly, they can get network). The idea is to provide some default level so extension writer doesn't have to be aware of the whole thing unless they need to, and wiki admin knowing if the extension doesn't call specific methods (which is easy to check for) it will have uniform security policy with the rest of the wiki. What do you think?

Smalyshev awarded a token.Dec 5 2017, 1:22 AM
Legoktm added a comment.Dec 5 2017, 5:07 AM
In T173370#3811353, @Smalyshev wrote:

This looks pretty cool, however this requires every client to manually set up restrictions. Which is pretty easy to forget or to be completely unaware such feature even exists. I wonder if we shouldn't have default settings, that apply to every shell invocation, unless the client specifically invokes different one? Or maybe even stronger, a configured mandatory mask that applies to every shell invocation in general (e.g., nobody ever gets root or /dev access, no matter how much they ask, but if they ask explicitly, they can get network). The idea is to provide some default level so extension writer doesn't have to be aware of the whole thing unless they need to, and wiki admin knowing if the extension doesn't call specific methods (which is easy to check for) it will have uniform security policy with the rest of the wiki. What do you think?

Agreed in full that this should be our eventual goal. However, simply flipping it on by default would be a huge change and basically impossible to test properly. So our current implementation is opt-in, which lets us review each command for these kinds of restrictions. Once we have most things reviewed/restricted, we can re-evaluate the value of RESTRICT_DEFAULT (e.g. maybe NO_NETWORK should go in it) and make some restrictions opt-out. Ideally we can do this before the 1.31 release.

Legoktm closed subtask T181535: Convert Score binaries to use MediaWiki shell restrictions as Resolved.Dec 8 2017, 9:02 PM
Legoktm edited projects, added MediaWiki-Shell; removed MediaWiki-General.Dec 9 2017, 3:18 AM
Legoktm added a comment.Dec 9 2017, 10:29 AM

The main follow-up work on the patch itself were Tim's suggestions for more specific features that I didn't address:

  • Deny read access to LocalSettings.php. We could even call get_included_files() and thereby automatically deny read access to PrivateSettings.php.

T182484: Add shell restriction to deny access to LocalSettings.php

  • Require a private temporary directory. The common pattern of writing an input file to a temporary directory then running a command would need to be improved. Perhaps wfTempDir() could return a private subdirectory.

T179901: Create a tmp directory just for MediaWiki

  • Deny execve. This would prevent a range of vulnerabilities, and is used to great effect in apparmor.

This was implemented, but it doesn't actually work: T182489: The NO_EXECVE shell restriction doesn't work with firejail because of limit.sh

  • Some sort of pre-configured netfilter option which will deny access to memcached and similar services, for the benefit of commands that can't use NO_NETWORK.

T182490: Implement shell restriction alternative to NO_NETWORK that only allows HTTP(S) traffic

Legoktm added a comment.Dec 13 2017, 2:03 AM

@Smalyshev I filed T182741: Determine whether firejail shell restrictions can be enabled by default to figure out how we can enable this by default.

With that I think everything now has follow-up tasks, so we can close this as resolved.

Legoktm closed this task as Resolved.Dec 14 2017, 6:08 PM
CCicalese_WMF moved this task from In Progress to Done on the MediaWiki-Platform-Team-Archived (MWPT-Q2-Oct-Dec-2017) board.Dec 21 2017, 1:14 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL