Page MenuHomePhabricator
Create Task
Maniphest T181535

Convert Score binaries to use MediaWiki shell restrictions
Closed, ResolvedPublic
Actions

Description

...instead of the manual firejailing that Wikimedia currently uses. Moritz suggested to start with this one since it has a pretty low usage.

https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/mediawiki/files/mediawiki-firejail-lilypond
https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/mediawiki/files/mediawiki-converters.profile

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+0 -36mediawiki: Remove Score firejail wrappers
operations/mediawiki-configmaster+0 -3Remove manual firejailing of Score binaries
mediawiki/extensions/Scoremaster+66 -37Enable shell restrictions for all binaries
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Nov 28 2017, 6:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2017, 6:00 PM
gerritbot added a subscriber: gerritbot.Nov 28 2017, 7:31 PM

Change 393830 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/extensions/Score@master] Enable shell restrictions for lilypond

https://gerrit.wikimedia.org/r/393830

gerritbot added a project: Patch-For-Review.Nov 28 2017, 7:31 PM
Legoktm added a comment.Nov 28 2017, 7:32 PM

I tested the patch with https://en.wikipedia.org/wiki/Pastime_with_Good_Company and I also set $wgScoreLilypond to point to mediawiki-firejail-lilypond (firejail inside a firejail) and it all worked.

Ebe123 moved this task from Backlog to In Progress on the MediaWiki-extensions-Score board.Nov 28 2017, 11:35 PM
gerritbot added a comment.Dec 2 2017, 2:32 AM

Change 393830 merged by jenkins-bot:
[mediawiki/extensions/Score@master] Enable shell restrictions for all binaries

https://gerrit.wikimedia.org/r/393830

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-12-05 (1.31.0-wmf.11)).Dec 2 2017, 3:00 AM
Legoktm renamed this task from Convert "lilypond" to use MediaWiki shell restrictions to Convert Score binaries to use MediaWiki shell restrictions.Dec 4 2017, 4:33 AM
gerritbot added a comment.Dec 4 2017, 4:45 AM

Change 394913 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[operations/mediawiki-config@master] Remove manual firejailing of Score binaries

https://gerrit.wikimedia.org/r/394913

gerritbot added a comment.Dec 4 2017, 5:03 AM

Change 394914 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[operations/puppet@production] mediawiki: Remove Score firejail wrappers

https://gerrit.wikimedia.org/r/394914

TheDJ awarded a token.Dec 4 2017, 9:43 AM
Legoktm closed this task as Resolved.Dec 8 2017, 9:02 PM

There's still a little cleanup to do, but I'll follow-up on that.

CCicalese_WMF moved this task from Ready to Done on the MediaWiki-Platform-Team (MWPT-Q2-Oct-Dec-2017) board.Dec 10 2017, 8:12 PM
gerritbot added a comment.Dec 12 2017, 12:49 AM

Change 394913 merged by jenkins-bot:
[operations/mediawiki-config@master] Remove manual firejailing of Score binaries

https://gerrit.wikimedia.org/r/394913

Stashbot added a subscriber: Stashbot.Dec 12 2017, 12:53 AM

Mentioned in SAL (#wikimedia-operations) [2017-12-12T00:53:08Z] <legoktm@tin> Synchronized wmf-config/CommonSettings.php: Remove manual firejailing of Score binaries (T181535) (duration: 00m 56s)

gerritbot added a comment.Dec 12 2017, 12:33 PM

Change 394914 merged by Muehlenhoff:
[operations/puppet@production] mediawiki: Remove Score firejail wrappers

https://gerrit.wikimedia.org/r/394914

Reedy mentioned this in T257062: Lilypond seemingly not subject to restrictions (CVE-2020-29007).Jul 3 2020, 4:32 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL