Page MenuHomePhabricator

Find alternative to safe mode in Lilypond
Closed, ResolvedPublic


When typesetting a score, the command being run uses the -dsafe option, of which ensures security against malicious code, but also removes many disparate features that would be useful to the extension. This safeguard is very important, but is very rigid. Lilypond has an alternative, meant specifically for web use, but is somewhat harder to setup.

As outlined in their manual, it involves running in a chroot jail and using the --jail option. The manual also has documentation on its implications and instructions to setup (on the linked page).

Revisions and Commits

Event Timeline

Something to figure out is just how feasible it is. This is the solution to most of the big problems there are currently, but would be hard to implement. Further, various systems have different workflows to create a chroot jail, if there is at all; Windows does not as an example. Part of the implementation would thus be adding this as an option, and passed around the extension to modify the commands.

Other extensions, such as MediaWiki-extensions-Scribunto have a "sandbox" approach, and one extension, Extension:Pipes uses our approach, but is unsupported, and with a big warning attached.

The '-dsafe' option disables many different features from use in our <score tags, and so even though these subtasks look unrelated, they all have the same root cause it seems.

Another solution is to use firejail. This may be easier to setup. ( Thanks @Reedy )

Change 370306 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[mediawiki/extensions/Score@master] Run lilypond from inside firejail

Change 370358 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/mediawiki-config@master] Run Lilypond from Firejail

Change 370361 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/puppet@production] Run Lilypond from Firejail

I just realised another reason I got confused with those tasks, they weren't the right way round; the fact lilypond is not run in a firejail, and as such, does run in safe mode, prevents those features etc. They don't prevent this.

Also, see T172582, we should ideally run all the binaries that Score shells out to in firejails

Ebe123 renamed this task from Run lilypond from inside a chroot jail to Find alternative to safe mode in Lilypond.Aug 6 2017, 2:50 AM

A global on whether to use the -dsafe option could be $wgScoreSafeMode, which the patch is providing.

Change 370306 merged by jenkins-bot:
[mediawiki/extensions/Score@master] Add option to use -dsafe argument in Lilypond command

An option has been set to enable/disable SafeMode, so now T174413: Set $wgScoreSafeMode to false is left for Wikimedia Wikis.