Page MenuHomePhabricator
Create Task
Maniphest T172584

Securing external binaries run by MediaWiki
Closed, DeclinedPublic
Actions

Description

MediaWiki can run various external binaries for varying reasons, some, but not all of these are secured in firejails/similar

We should audit these, and move to securing them all as appropriate

binarysecured?task
ffmpegnoT172298
texvc, texvcchecknoT172583
lilypond, abc2ly, timidityyesT172582
ghostcriptyesT147041 T164000
ddjvu, djvudumpnoT182743
tiffinfono
identifyno
exiv2no
pdfinfo, pdftotextnoT182746
vipsyesT182747
pygmentsyesT182468

Related Objects
Search...

Event Timeline

Reedy created this task.Aug 5 2017, 2:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 5 2017, 2:15 AM
Reedy added projects: WMF-General-or-Unknown, SRE.Aug 5 2017, 2:15 AM
MoritzMuehlenhoff added subscribers: Bawolff, MoritzMuehlenhoff.Aug 15 2017, 2:09 PM

We can fix all these, but I think the best mid-term solution would be to implement support for contained execution on the Mediawiki end. I also spoke about this with @Bawolff at Wikimania and have just created
https://phabricator.wikimedia.org/T173370 for this. Comments welcome, I can help with all the bits on the firejail end.

dpatrick triaged this task as Medium priority.Aug 17 2017, 6:13 PM
dpatrick subscribed.
dpatrick awarded a token.Aug 17 2017, 6:20 PM
Reedy updated the task description. (Show Details)Aug 28 2017, 11:39 PM
Reedy added subtasks: Restricted Task, Restricted Task, T172582: Run score binaries in a firejail.
Reedy added subtasks: T147041: Multiple ghostscript vulnerabilities, T164000: ghostscript dSafer bypass.
Reedy added a comment.Aug 28 2017, 11:58 PM

Other candidates...

  • $wgDjvuDump - djvudump
  • $wgDjvuRenderer - ddjvu
  • $wgTiffTiffinfoCommand - tiffinfo
  • $wgImageMagickIdentifyCommand - identify
  • $wgExiv2Command - exiv2
  • $wgPdfInfo - pdfinfo
  • $wgPdftoText - pdftotext
  • $wgVipsCommand - vips
Reedy updated the task description. (Show Details)Aug 29 2017, 12:01 AM
Reedy updated the task description. (Show Details)Aug 29 2017, 12:08 AM
Legoktm subscribed.Dec 8 2017, 9:06 PM

Can we make this task public? With firejail support in core now, most of these will go through MediaWiki code review now. And there's quite a few binaries missing from here, e.g. pygments, diff, ...

Legoktm added a subtask: T182468: Restrict pygments with firejail.Dec 8 2017, 9:47 PM
Legoktm updated the task description. (Show Details)
Tgr added a project: MediaWiki-Shell.Dec 8 2017, 10:36 PM
Legoktm added a comment.Dec 11 2017, 7:23 PM

https://gerrit.wikimedia.org/r/397606 - shell: Add debug logging to find binaries that aren't being restricted

MoritzMuehlenhoff added a comment.Dec 12 2017, 12:17 PM
In T172584#3824124, @Legoktm wrote:

Can we make this task public? With firejail support in core now, most of these will go through MediaWiki code review now. And there's quite a few binaries missing from here, e.g. pygments, diff, ...

Fine with me

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 13 2017, 2:05 AM
Legoktm updated the task description. (Show Details)Dec 13 2017, 2:24 AM
Legoktm updated the task description. (Show Details)
Legoktm updated the task description. (Show Details)Dec 13 2017, 2:33 AM
Legoktm closed subtask T182468: Restrict pygments with firejail as Resolved.Jan 12 2018, 1:27 AM
BPirkle closed subtask T182748: $wgExternalDiffEngine should have shell restrictions as Resolved.Oct 2 2018, 4:29 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:25 PM
xSavitar closed subtask T182744: $wgMimeDetectorCommand should have shell restrictions applied as Resolved.Jan 31 2019, 6:29 PM
xSavitar closed subtask T182745: Installer's shelling out to `locale` should have shell restrictions applied as Resolved.Jan 31 2019, 6:41 PM
xSavitar closed subtask T182747: vips binary should have shell restrictions applied as Resolved.Jan 31 2019, 6:45 PM
TheDJ mentioned this in T240455: Large TIFF files do not pass file verification (related to version of image magick installed).Dec 24 2019, 10:14 AM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
Reedy updated the task description. (Show Details)Apr 20 2020, 11:53 PM
DannyS712 subscribed.Apr 21 2020, 12:03 AM
Reedy mentioned this in T257062: Lilypond seemingly not subject to restrictions (CVE-2020-29007).Jul 3 2020, 9:03 PM
Krinkle added a project: Sustainability (Incident Followup).Jul 3 2020, 9:23 PM
TheDJ closed subtask T182746: PdfHandler binaries should have shell restrictions applied to them as Resolved.Jun 14 2022, 11:05 PM
LSobanski closed subtask Restricted Task as Resolved.Jan 6 2023, 12:08 PM
Joe closed this task as Declined.Mar 20 2023, 7:04 AM
Joe subscribed.

There is no point in working on firejail profiles given we've introduced shellbox in the meantime.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL