Page MenuHomePhabricator

Use of 'oathauth-disable-for-user' must be logged, with reason
Open, Needs TriagePublic

Description

I see that a new user right, 'oathauth-disable-for-user', was added to Ex:OATHAuth, which allows its holders (by default: sysops; on WMF only those in the staff global group) to remove 2FA from any account. However by looking at the code of Ex:OATHAuth, I can't see the use of this extremelly sensitive feature is being logged anywhere.

For accountability, the use of this feature must be logged IMHO (for example, in the private suppression log or another ad-hoc private log) and a reason field should also be added so we know why User:Ticio disabled 2FA for User:Cayo.

(Maybe for another task: send an email to the registered preferences address to the user whose 2FA was disabled with details of who and why?)

Thank you.

Note: feature added per T195207 & logging seems to be discussed at T151010 & T210643? (can't access: but I see a revert patch without much information though - this is about on-wiki logging of on-wiki actions performed with wiki special pages not just in Logstash, etc.).

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2018, 12:51 PM
MarcoAurelio updated the task description. (Show Details)
Krenair added a subscriber: Krenair.Dec 1 2018, 2:57 PM
Reedy renamed this task from Use 'oathauth-disable-for-user' must be logged, with reason to Use of 'oathauth-disable-for-user' must be logged, with reason.Dec 1 2018, 11:47 PM

We currently don't really have a place for logging sensitive stuff like this stuff onwiki (and then replicating to labs adds some complexity). And I don't think it should be public to the masses that a user has disabled 2FA for another user for obvious reasons

Logging was breaking 2FA due to some issues with MW config and hence reverted for the time being until it can be investigated more thoroughly

I would agree a "reason" is useful, but we need somewhere to store it (see also private log comment above)

I note this is why I've made sure it's disabled on WMF wikis until policies/procedures are in place, never mind making sure the functionality necessary is already there :)

(Maybe for another task: send an email to the registered preferences address to the user whose 2FA was disabled with details of who and why?)

Yes, file a separate task for that

MarcoAurelio added a comment.EditedDec 2 2018, 8:27 PM

@Reedy I'd create an ad hoc log for this kind of stuff, similar to Special:CheckUserLog, where only people with oathauth-disable-for-user-log could access (for example: Special:OATHLog?). The suppression log might not be the best place because we tend to log there oversighting stuff, and there will be more people than just those with oathauth-disable-for-user that could watch (even if those are still trusted people). Indeed this should not be public for obvious reasons.

Labs: similar to what happens to other logs, we should add the table to the blacklist so it's not made public to the replicas.

I'll file a separate task for the email stuff.

Are we at least logging this stuff to fluorine/logstash right now?

Reedy added a comment.Dec 2 2018, 11:26 PM

Are we at least logging this stuff to fluorine/logstash right now?

No, because the patch was reverted

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

If that is possible, then sure, okay. I'd add a new right: oathauth-log (for example).

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

That sounds good, is there any chance that CU logs also use the built-in logging too? It reinvents its own logging wheel.

Reedy added a comment.Dec 3 2018, 3:02 PM

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

That sounds good, is there any chance that CU logs also use the built-in logging too? It reinvents its own logging wheel.

Sounds like a separate discussion for a separate bug ;)