Page MenuHomePhabricator
Create Task
Maniphest T182484

Add shell restriction to deny access to LocalSettings.php
Closed, ResolvedPublic
Actions

Description

Suggested by Tim in the code review for https://gerrit.wikimedia.org/r/#/c/384930/

Most secret information like database passwords are kept in LocalSettings.php, so blacklisting that file by default would take away a lot of information an attacker would want.

Details

SubjectRepoBranchLines +/-
shell: Add NO_LOCALSETTINGS restrictionmediawiki/coremaster+15 -3
Customize query in gerrit

Related Objects

Event Timeline

Legoktm created this task.Dec 9 2017, 6:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2017, 6:00 AM
gerritbot subscribed.Dec 9 2017, 6:05 AM

Change 396080 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] shell: Add NO_LOCALSETTINGS restriction

https://gerrit.wikimedia.org/r/396080

gerritbot added a project: Patch-For-Review.Dec 9 2017, 6:05 AM
Legoktm mentioned this in T182486: Command::whitelistPaths() with firejail doesn't work exactly as expected.Dec 9 2017, 8:18 AM
Legoktm mentioned this in T173370: Support restricted execution of external commands (via firejail).Dec 9 2017, 10:29 AM
Legoktm moved this task from Ready to In Progress on the MediaWiki-Platform-Team-Archived (MWPT-Q2-Oct-Dec-2017) board.Dec 9 2017, 10:42 AM
gerritbot added a comment.Dec 22 2017, 1:44 AM

Change 396080 merged by jenkins-bot:
[mediawiki/core@master] shell: Add NO_LOCALSETTINGS restriction

https://gerrit.wikimedia.org/r/396080

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-01-02 (1.31.0-wmf.15)).Dec 22 2017, 2:00 AM
Legoktm closed this task as Resolved.Dec 25 2017, 2:20 AM
CCicalese_WMF moved this task from In Progress to Done on the MediaWiki-Platform-Team-Archived (MWPT-Q2-Oct-Dec-2017) board.Jan 2 2018, 3:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL