Page MenuHomePhabricator
Create Task
Maniphest T157883

Blocked users should not be allowed to run checkuser queries
Closed, ResolvedPublic
Actions

Description

When a user who has the checkuser rights is blocked he will still be able to run checkuser queries while being blocked from editing. Currently checkuser rights need to be removed to prevent access.

Thus, if a checkuser account is taken over (which of course itself is a worst-case-scenario), a bureaucrat+sysop might notice this, block the account and remove sysop-access to prevent unblockself, but might leave the checkuser-rights (for example because the local bureaucrat is able to remove sysop access but cannot remove checkuser access). The blocked user will still be able to run a query.

In addition to that on small wikis with just two checkusers nobody might notice that the blocked account runs queries if the second checkuser is not online, as the checkuser log is hidden.

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/CheckUsermaster+6 -0Disallow blocked users to run checkuser queries
Customize query in gerrit

Related Objects

Event Timeline

EddieGP created this task.Feb 11 2017, 9:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 11 2017, 9:36 PM
EddieGP updated the task description. (Show Details)Feb 11 2017, 9:41 PM
MarcoAurelio added a project: Stewards-and-global-tools.Feb 11 2017, 9:57 PM
MarcoAurelio added a subscriber: MarcoAurelio.
Isarra added a subscriber: Isarra.Feb 11 2017, 10:30 PM
Legoktm set Security to Software security bug.Feb 12 2017, 4:54 AM
Legoktm added a project: acl*security.
Legoktm changed the visibility from "Public (No Login Required)" to "Custom Policy".
Legoktm added a subscriber: Legoktm.
EddieGP claimed this task.Feb 12 2017, 8:23 PM

Found a patch, now I just need to work myself through the tutorials and configuring git to commit it...

MaxSem added a subscriber: MaxSem.Feb 12 2017, 9:26 PM

Please don't commit your fix publicly - attach a patch file to this bug so that it could be deployed to production before it goes public.

EddieGP added a comment.EditedFeb 12 2017, 9:41 PM

@MaxSem Sorry, I read this too late. Patch is up here:
https://gerrit.wikimedia.org/r/#/c/337326/

If there is any chance to remove this, please do so. This is literally my first bug report and commit ever, I don't know how to delete the patch from gerrit, or how I may add the patch file to this bug (just uploading the changed php file?)

Sorry :-(

Edit: I did "abandoned" but I believe this didn't solve it. Sorry again.

Platonides added a subscriber: Platonides.Feb 12 2017, 10:06 PM

Well, it's public now. I would simply continue treating it as a normal patch. Thankfully, it's not something critical, as I don't think we have rogue checkusers blocked.

Also, it's a quite trivial fix, so it should be easily merged. I have left you some comments on the patch (style issues, actually).

Thanks for your bug report and patch!

EddieGP added a comment.Feb 12 2017, 10:16 PM

@Platonides Thanks for your reply ... I was worried that I may have done something horribly wrong. I now removed the "abandoned" again (it seems this didn't help at all, still stayed public). And thanks for your annotations.

Dear all, sorry for the mess ...

EddieGP moved this task from General / Unsorted to Patches for review on the CheckUser board.Feb 12 2017, 10:20 PM
MaxSem added a comment.Feb 13 2017, 12:47 AM

Don't worry: nothing broke, nobody got hurt. Just know the procedure next time:)

EddieGP closed this task as Resolved.Feb 19 2017, 9:21 PM

Merged, though gerritbot doesn't mention this here, I guess the bot does not have permissions for security patches as those should not be on gerrit in the first place. Lesson learned. Thanks again for all the help!

EddieGP added a comment.Mar 3 2017, 3:14 PM

@Aklapper @Legoktm Could somebody please remove the policy from this one again? It's been public in gerrit & the release notes by now ...

EddieGP added a comment.Mar 23 2017, 9:37 PM

Once again, could anybody please remove the access policy here? This patch has gone public more than a month ago!

Jalexander changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 23 2017, 11:56 PM
EddieGP added a subscriber: Jalexander.Mar 24 2017, 12:48 AM

Thanks @Jalexander

MarcoAurelio moved this task from Patches for review to Done on the CheckUser board.Aug 28 2017, 1:06 PM
Melos mentioned this in T209585: Special:CheckUserLog is accessible while a user with checkuser-log right is blocked.Nov 15 2018, 1:48 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL