Find alternative to safe mode in Lilypond
Closed, ResolvedPublic
Actions

Description

When typesetting a score, the command being run uses the -dsafe option, of which ensures security against malicious code, but also removes many disparate features that would be useful to the extension. This safeguard is very important, but is very rigid. Lilypond has an alternative, meant specifically for web use, but is somewhat harder to setup.

As outlined in their manual, it involves running in a chroot jail and using the --jail option. The manual also has documentation on its implications and instructions to setup (on the linked page).

Details

	Project	Branch	Lines +/-	Subject
	mediawiki/extensions/Score	master	+10 -3	Add option to use `-dsafe` argument in Lilypond command

Customize query in gerrit

Revisions and Commits

rESCR extension-Score
	rESCR8db2ac5cf0a9 Run lilypond from inside firejail

Related Objects
Search...

Status	Assigned	Task
Open	None	T50538 Create a single score from multiple pages on Wikisource
Declined	Ebe123	T54883 Usage of variables should be possible in lilypond code
Open	None	T172584 Securing external binaries run by MediaWiki
Resolved	Reedy	T172582 Run score binaries in a firejail
Resolved	None	T60526 Score: Colors names (e.g. #red) are not recognized
Open	None	T161293 Paper format with Score extension in Wikipedia is A4 only
Resolved	nikitavbv	T49604 Score should support note names in other languages
Resolved	Ebe123	T171372 Find alternative to safe mode in Lilypond

Event Timeline

Ebe123 created this task.Jul 22 2017, 4:25 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 22 2017, 4:25 AM

Ebe123 added a subtask: T161293: Paper format with Score extension in Wikipedia is A4 only.Jul 22 2017, 4:26 AM

Ebe123 added a subtask: T60526: Score: Colors names (e.g. #red) are not recognized.

Ebe123 added a subtask: T54883: Usage of variables should be possible in lilypond code.

Roomsixhu added a subscriber: Roomsixhu.Jul 22 2017, 12:56 PM

Something to figure out is just how feasible it is. This is the solution to most of the big problems there are currently, but would be hard to implement. Further, various systems have different workflows to create a chroot jail, if there is at all; Windows does not as an example. Part of the implementation would thus be adding this as an option, and passed around the extension to modify the commands.

Other extensions, such as MediaWiki-extensions-Scribunto have a "sandbox" approach, and one extension, Extension:Pipes uses our approach, but is unsupported, and with a big warning attached.

Reedy removed subtasks: T54883: Usage of variables should be possible in lilypond code, T60526: Score: Colors names (e.g. #red) are not recognized, T161293: Paper format with Score extension in Wikipedia is A4 only.Aug 5 2017, 1:37 AM

Reedy mentioned this in T172582: Run score binaries in a firejail.Aug 5 2017, 1:40 AM

Ebe123 updated the task description. (Show Details)Aug 5 2017, 1:55 AM

Ebe123 added subtasks: T54883: Usage of variables should be possible in lilypond code, T60526: Score: Colors names (e.g. #red) are not recognized, T161293: Paper format with Score extension in Wikipedia is A4 only.

The '-dsafe' option disables many different features from use in our <score tags, and so even though these subtasks look unrelated, they all have the same root cause it seems.

Another solution is to use firejail. This may be easier to setup. ( Thanks @Reedy )

Ebe123 added a subscriber: Reedy.Aug 5 2017, 3:04 AM

Ebe123 moved this task from Backlog to In Progress on the MediaWiki-extensions-Score board.Aug 5 2017, 4:27 AM

Ebe123 claimed this task.Aug 5 2017, 4:29 AM

Change 370306 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[mediawiki/extensions/Score@master] Run lilypond from inside firejail

https://gerrit.wikimedia.org/r/370306

gerritbot added a project: Patch-For-Review.Aug 5 2017, 5:13 AM

Ebe123 added a commit: rESCR8db2ac5cf0a9: Run lilypond from inside firejail.Aug 5 2017, 5:15 AM

Change 370358 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/mediawiki-config@master] Run Lilypond from Firejail

https://gerrit.wikimedia.org/r/370358

Change 370361 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/puppet@production] Run Lilypond from Firejail

https://gerrit.wikimedia.org/r/370361

Reedy added a parent task: T172582: Run score binaries in a firejail.Aug 6 2017, 12:50 AM

Reedy removed a subtask: T54883: Usage of variables should be possible in lilypond code.

Reedy added a parent task: T54883: Usage of variables should be possible in lilypond code.

Reedy removed a subtask: T60526: Score: Colors names (e.g. #red) are not recognized.Aug 6 2017, 12:53 AM

Reedy added a parent task: T60526: Score: Colors names (e.g. #red) are not recognized.

Reedy removed a subtask: T161293: Paper format with Score extension in Wikipedia is A4 only.

Reedy added a parent task: T161293: Paper format with Score extension in Wikipedia is A4 only.

I just realised another reason I got confused with those tasks, they weren't the right way round; the fact lilypond is not run in a firejail, and as such, does run in safe mode, prevents those features etc. They don't prevent this.

Also, see T172582, we should ideally run all the binaries that Score shells out to in firejails

Ebe123 removed a parent task: T172582: Run score binaries in a firejail.Aug 6 2017, 2:06 AM

Ebe123 added a parent task: T172582: Run score binaries in a firejail.Aug 6 2017, 2:43 AM

A global on whether to use the -dsafe option could be $wgScoreSafeMode, which the patch is providing.

Ebe123 added a parent task: T49604: Score should support note names in other languages.Aug 7 2017, 10:26 PM

• dpatrick added a subscriber: • dpatrick.Aug 17 2017, 6:01 PM

Change 370306 merged by jenkins-bot:
[mediawiki/extensions/Score@master] Add option to use -dsafe argument in Lilypond command