Page MenuHomePhabricator
Create Task
Maniphest T179901

Create a tmp directory just for MediaWiki
Closed, DeclinedPublic
Actions

Description

This originally came up as part of https://gerrit.wikimedia.org/r/#/c/384930/ but after discussing it with Tim it can be implemented outside of firejail.

Currently MW has wfTempDir() that in a default configuration is most likely to return /tmp. Due to security problems ([1]) with a world-writable /tmp dir, Tim suggested that we should create a MW-specific dir, such as /tmp/mediawiki-{wikiid}-{randomstring}. And we can make sure the permissions on that directory are not set to be world-writable. wfTempDir() would create that directory on-demand for the request with the correct permissions when the function is first invoked.

Related Objects

Event Timeline

Legoktm created this task.Nov 7 2017, 4:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 7 2017, 4:33 AM
Bawolff added a comment.Nov 7 2017, 2:34 PM

Perhaps the directory should include the wikiid to isolate it from other mw installs running on the same host.

Anomie subscribed.Nov 7 2017, 3:43 PM

What happens then if the attacker manages to create /tmp/mediawiki ahead of time?

I also note that on my local Debian systems, while wfTempDir() returns "/tmp" that actually corresponds to something like "/tmp/systemd-private-SOMEHASH-apache2.service-SOMEHASH/tmp/" thanks to Debian including "PrivateTmp=true" in the systemd service file.

Legoktm mentioned this in T173370: Support restricted execution of external commands (via firejail).Dec 9 2017, 10:29 AM
Legoktm updated the task description. (Show Details)Dec 9 2017, 8:45 PM

I tweaked the proposal to include the wikiid and a random string in the directory name.

Legoktm moved this task from MWPT-Q2-Oct-Dec-2017 to MWPT-Q3-Jan-Mar-2018 on the MediaWiki-Platform-Team-Archived board.Dec 21 2017, 6:12 PM
Legoktm edited projects, added MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018); removed MediaWiki-Platform-Team-Archived (MWPT-Q2-Oct-Dec-2017).
CCicalese_WMF edited projects, added MediaWiki-Platform-Team-Archived (MWPT-Q4-Apr-Jun-2018); removed MediaWiki-Platform-Team-Archived (MWPT-Q3-Jan-Mar-2018).Apr 4 2018, 7:04 PM
Krinkle subscribed.Apr 6 2018, 3:28 AM
CCicalese_WMF edited projects, added Core-Platform-Team-Old; removed MediaWiki-Platform-Team-Archived (MWPT-Q4-Apr-Jun-2018).Jul 11 2018, 10:52 PM
CCicalese_WMF moved this task from Inbox to Backlog on the Core-Platform-Team-Old board.
tstarling assigned this task to BPirkle.Aug 7 2018, 2:11 AM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
CCicalese_WMF added a project: Platform Team Legacy (Later).Oct 1 2018, 11:32 PM
CCicalese_WMF edited projects, added Core Platform Team Goals (MCR: Uncategorized); removed Core-Platform-Team-Old.Oct 2 2018, 12:29 AM
CCicalese_WMF edited projects, added Platform Engineering; removed Core Platform Team Goals (MCR: Uncategorized).Oct 2 2018, 2:31 AM
CCicalese_WMF moved this task from Inbox to Triage Meeting Inbox on the Platform Engineering board.Oct 2 2018, 2:40 AM
CCicalese_WMF moved this task from Triage Meeting Inbox to Needs Cleaning - Security, stability, performance, and scalability (TEC1) on the Platform Engineering board.Oct 3 2018, 3:56 PM
CCicalese_WMF edited projects, added Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)); removed Platform Engineering.
WDoranWMF moved this task from Later to Mop Column on the Platform Team Legacy board.Jul 5 2019, 3:45 PM
WDoranWMF removed a project: Platform Team Legacy (Later).
Joe subscribed.Aug 2 2019, 7:05 AM

I would rather do what @Anomie suggested, that is using PrivateTmp=true for php-fpm. I'll look into it.

Joe added a project: serviceops.Aug 2 2019, 7:05 AM
Krinkle edited projects, added Performance-Team (Radar); removed Security-Core.Aug 29 2019, 12:28 AM
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.
WDoranWMF removed a project: Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)).Sep 3 2019, 6:38 PM
WDoranWMF subscribed.

Untagging CPT, please retag us if we're needed. Thanks!

chasemp triaged this task as Medium priority.Dec 9 2019, 5:14 PM
chasemp added a project: Security-Team.
chasemp moved this task from Incoming to Watching on the Security-Team board.Dec 9 2019, 5:32 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
BPirkle removed BPirkle as the assignee of this task.Jun 18 2020, 6:46 PM
BPirkle subscribed.
jijiki moved this task from Incoming 🐫 to 🔦Unused2 on the serviceops board.Aug 17 2020, 11:48 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
DanielsThomas mentioned this in T268420: GlobalIdGenerator assumes tmp path is unique.Nov 22 2020, 8:14 PM
Mstyles edited projects, added SecTeam-Processed; removed Security-Team.Oct 13 2021, 7:31 PM
Joe closed this task as Declined.Oct 14 2021, 5:47 AM

Given we've in the meantime worked on moving to kubernetes, and of the work on shellbox, I don't think this task is valid any longer. Closing this as "declined".

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL