Page MenuHomePhabricator
Create Task
Maniphest T171372

Find alternative to safe mode in Lilypond
Closed, ResolvedPublic
Actions

Description

When typesetting a score, the command being run uses the -dsafe option, of which ensures security against malicious code, but also removes many disparate features that would be useful to the extension. This safeguard is very important, but is very rigid. Lilypond has an alternative, meant specifically for web use, but is somewhat harder to setup.

As outlined in their manual, it involves running in a chroot jail and using the --jail option. The manual also has documentation on its implications and instructions to setup (on the linked page).

Details

Commits
rESCR8db2ac5cf0a9: Run lilypond from inside firejail
Related Gerrit Patches:
mediawiki/extensions/Score : masterAdd option to use `-dsafe` argument in Lilypond command

Related Objects
Search...

Event Timeline

Ebe123 created this task.Jul 22 2017, 4:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 22 2017, 4:25 AM
Ebe123 added a project: Security-General.Jul 25 2017, 5:32 AM

Something to figure out is just how feasible it is. This is the solution to most of the big problems there are currently, but would be hard to implement. Further, various systems have different workflows to create a chroot jail, if there is at all; Windows does not as an example. Part of the implementation would thus be adding this as an option, and passed around the extension to modify the commands.

Other extensions, such as MediaWiki-extensions-Scribunto have a "sandbox" approach, and one extension, Extension:Pipes uses our approach, but is unsupported, and with a big warning attached.

Ebe123 added a comment.Aug 5 2017, 1:59 AM

The '-dsafe' option disables many different features from use in our <score tags, and so even though these subtasks look unrelated, they all have the same root cause it seems.

Ebe123 added a comment.EditedAug 5 2017, 3:03 AM

Another solution is to use firejail. This may be easier to setup. ( Thanks @Reedy )

Ebe123 added a subscriber: Reedy.Aug 5 2017, 3:04 AM
Ebe123 claimed this task.Aug 5 2017, 4:29 AM
gerritbot added a subscriber: gerritbot.Aug 5 2017, 5:13 AM

Change 370306 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[mediawiki/extensions/Score@master] Run lilypond from inside firejail

https://gerrit.wikimedia.org/r/370306

gerritbot added a comment.Aug 5 2017, 10:37 PM

Change 370358 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/mediawiki-config@master] Run Lilypond from Firejail

https://gerrit.wikimedia.org/r/370358

gerritbot added a comment.Aug 5 2017, 11:41 PM

Change 370361 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/puppet@production] Run Lilypond from Firejail

https://gerrit.wikimedia.org/r/370361

Reedy added a comment.Aug 6 2017, 12:56 AM

I just realised another reason I got confused with those tasks, they weren't the right way round; the fact lilypond is not run in a firejail, and as such, does run in safe mode, prevents those features etc. They don't prevent this.

Also, see T172582, we should ideally run all the binaries that Score shells out to in firejails

Ebe123 renamed this task from Run lilypond from inside a chroot jail to Find alternative to safe mode in Lilypond.Aug 6 2017, 2:50 AM

A global on whether to use the -dsafe option could be $wgScoreSafeMode, which the patch is providing.

gerritbot added a comment.Aug 28 2017, 9:21 PM

Change 370306 merged by jenkins-bot:
[mediawiki/extensions/Score@master] Add option to use -dsafe argument in Lilypond command

https://gerrit.wikimedia.org/r/370306

Ebe123 closed this task as Resolved.Aug 29 2017, 12:16 AM
Ebe123 mentioned this in T174413: Set $wgScoreSafeMode to false.

An option has been set to enable/disable SafeMode, so now T174413: Set $wgScoreSafeMode to false is left for Wikimedia Wikis.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL