Page MenuHomePhabricator

Create a tmp directory just for MediaWiki
Closed, DeclinedPublic


This originally came up as part of but after discussing it with Tim it can be implemented outside of firejail.

Currently MW has wfTempDir() that in a default configuration is most likely to return /tmp. Due to security problems ([1]) with a world-writable /tmp dir, Tim suggested that we should create a MW-specific dir, such as /tmp/mediawiki-{wikiid}-{randomstring}. And we can make sure the permissions on that directory are not set to be world-writable. wfTempDir() would create that directory on-demand for the request with the correct permissions when the function is first invoked.

Event Timeline

Perhaps the directory should include the wikiid to isolate it from other mw installs running on the same host.

What happens then if the attacker manages to create /tmp/mediawiki ahead of time?

I also note that on my local Debian systems, while wfTempDir() returns "/tmp" that actually corresponds to something like "/tmp/systemd-private-SOMEHASH-apache2.service-SOMEHASH/tmp/" thanks to Debian including "PrivateTmp=true" in the systemd service file.

I tweaked the proposal to include the wikiid and a random string in the directory name.

I would rather do what @Anomie suggested, that is using PrivateTmp=true for php-fpm. I'll look into it.

chasemp triaged this task as Medium priority.Dec 9 2019, 5:14 PM
chasemp added a project: Security-Team.
BPirkle added a subscriber: BPirkle.

Given we've in the meantime worked on moving to kubernetes, and of the work on shellbox, I don't think this task is valid any longer. Closing this as "declined".