Page MenuHomePhabricator

Find alternative to safe mode in Lilypond
Closed, ResolvedPublic

Description

When typesetting a score, the command being run uses the -dsafe option, of which ensures security against malicious code, but also removes many disparate features that would be useful to the extension. This safeguard is very important, but is very rigid. Lilypond has an alternative, meant specifically for web use, but is somewhat harder to setup.

As outlined in their manual, it involves running in a chroot jail and using the --jail option. The manual also has documentation on its implications and instructions to setup (on the linked page).

Details

Event Timeline

Ebe123 created this task.Jul 22 2017, 4:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 22 2017, 4:25 AM

Something to figure out is just how feasible it is. This is the solution to most of the big problems there are currently, but would be hard to implement. Further, various systems have different workflows to create a chroot jail, if there is at all; Windows does not as an example. Part of the implementation would thus be adding this as an option, and passed around the extension to modify the commands.

Other extensions, such as MediaWiki-extensions-Scribunto have a "sandbox" approach, and one extension, Extension:Pipes uses our approach, but is unsupported, and with a big warning attached.

Ebe123 added a comment.Aug 5 2017, 1:59 AM

The '-dsafe' option disables many different features from use in our <score tags, and so even though these subtasks look unrelated, they all have the same root cause it seems.

Ebe123 added a comment.EditedAug 5 2017, 3:03 AM

Another solution is to use firejail. This may be easier to setup. ( Thanks @Reedy )

Ebe123 added a subscriber: Reedy.Aug 5 2017, 3:04 AM
Ebe123 claimed this task.Aug 5 2017, 4:29 AM

Change 370306 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[mediawiki/extensions/Score@master] Run lilypond from inside firejail

https://gerrit.wikimedia.org/r/370306

Change 370358 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/mediawiki-config@master] Run Lilypond from Firejail

https://gerrit.wikimedia.org/r/370358

Change 370361 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/puppet@production] Run Lilypond from Firejail

https://gerrit.wikimedia.org/r/370361

Reedy added a comment.Aug 6 2017, 12:56 AM

I just realised another reason I got confused with those tasks, they weren't the right way round; the fact lilypond is not run in a firejail, and as such, does run in safe mode, prevents those features etc. They don't prevent this.

Also, see T172582, we should ideally run all the binaries that Score shells out to in firejails

Ebe123 renamed this task from Run lilypond from inside a chroot jail to Find alternative to safe mode in Lilypond.Aug 6 2017, 2:50 AM

A global on whether to use the -dsafe option could be $wgScoreSafeMode, which the patch is providing.

Change 370306 merged by jenkins-bot:
[mediawiki/extensions/Score@master] Add option to use -dsafe argument in Lilypond command

https://gerrit.wikimedia.org/r/370306

Ebe123 closed this task as Resolved.Aug 29 2017, 12:16 AM

An option has been set to enable/disable SafeMode, so now T174413: Set $wgScoreSafeMode to false is left for Wikimedia Wikis.