Page MenuHomePhabricator
Create Task
Maniphest T182741

Determine whether firejail shell restrictions can be enabled by default
Closed, ResolvedPublic
Actions

Description

The new shell restriction framework was introduced as opt-in - you have to explicitly call $command->restrict( ... ) to enable it. MediaWiki generally follows a secure by default philosophy, and ideally these new restrictions should be enabled by default too, so developers don't need to remember to add them.

For purposes of migration to firejail it's much easier to do it one by one, which is why this is initially opt-in. But once all/most are restricted, we should evaluate whether we can enable this by default.

Questions to consider:

  • How many external commands are incompatible with Shell::RESTRICT_DEFAULT?
    • Is there anything else we can add to Shell::RESTRICT_DEFAULT?
  • How can commands opt-out of the default restrictions? (->disableRestrictions()?)
  • If something does break, is it possible for a sysadmin to work around it without disabling all of firejail or manually patching? (/etc/firejail/mediawiki.profile support)

Tagged as MW-1.31-release since if this happens, it should happen as part of 1.31.

Related Objects

Event Timeline

Legoktm created this task.Dec 13 2017, 2:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 13 2017, 2:00 AM
Legoktm mentioned this in T173370: Support restricted execution of external commands (via firejail).Dec 13 2017, 2:03 AM
gerritbot subscribed.Jan 6 2018, 9:50 PM

Change 402578 had a related patch set uploaded (by Legoktm; owner: MaxSem):
[mediawiki/core@master] WIP: add default shell restrictions

https://gerrit.wikimedia.org/r/402578

gerritbot added a project: Patch-For-Review.Jan 6 2018, 9:50 PM
MaxSem closed this task as Resolved.Apr 18 2018, 1:03 AM
MaxSem claimed this task.

The above patch has been merged, so all executions using the new API are now restricted by default.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL