Page MenuHomePhabricator

Securing external binaries run by MediaWiki
Open, NormalPublic

Description

MediaWiki can run various external binaries for varying reasons, some, but not all of these are secured in firejails/similar

We should audit these, and move to securing them all as appropriate

binarysecured?task
ffmpegnoT172298
texvc, texvcchecknoT172583
lilypond, abc2ly, timidityyesT172582
ghostcriptyesT147041 T164000
ddjvu, djvudumpnoT182743
tiffinfono
identifyno
exiv2no
pdfinfo, pdftotextnoT182746
vipsnoT182747
pygmentsnoT182468

Related Objects

Event Timeline

Reedy created this task.Aug 5 2017, 2:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 5 2017, 2:15 AM

We can fix all these, but I think the best mid-term solution would be to implement support for contained execution on the Mediawiki end. I also spoke about this with @Bawolff at Wikimania and have just created
https://phabricator.wikimedia.org/T173370 for this. Comments welcome, I can help with all the bits on the firejail end.

dpatrick triaged this task as Normal priority.Aug 17 2017, 6:13 PM
dpatrick added a subscriber: dpatrick.

Other candidates...

  • $wgDjvuDump - djvudump
  • $wgDjvuRenderer - ddjvu
  • $wgTiffTiffinfoCommand - tiffinfo
  • $wgImageMagickIdentifyCommand - identify
  • $wgExiv2Command - exiv2
  • $wgPdfInfo - pdfinfo
  • $wgPdftoText - pdftotext
  • $wgVipsCommand - vips
Reedy updated the task description. (Show Details)Aug 29 2017, 12:01 AM
Reedy updated the task description. (Show Details)Aug 29 2017, 12:08 AM
Legoktm added a subscriber: Legoktm.Dec 8 2017, 9:06 PM

Can we make this task public? With firejail support in core now, most of these will go through MediaWiki code review now. And there's quite a few binaries missing from here, e.g. pygments, diff, ...

https://gerrit.wikimedia.org/r/397606 - shell: Add debug logging to find binaries that aren't being restricted

Can we make this task public? With firejail support in core now, most of these will go through MediaWiki code review now. And there's quite a few binaries missing from here, e.g. pygments, diff, ...

Fine with me

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 13 2017, 2:05 AM
Legoktm updated the task description. (Show Details)Dec 13 2017, 2:24 AM
Legoktm updated the task description. (Show Details)
Legoktm updated the task description. (Show Details)Dec 13 2017, 2:33 AM