Page MenuHomePhabricator

Using shell.php in production sends warnings to Logstash
Open, LowPublic

Description

If you use maintenance/shell.php in production – by default it’s broken (T186936) but there are workarounds, e. g. PHP=php7.2 mwscript shell.php – then a message like the following will appear in Logstash (e. g. on the fatalmonitor board):

[14d509596bbbbff107cdb5e6] [no req] ErrorException from line 228 of /srv/mediawiki/php-1.34.0-wmf.13/vendor/psy/psysh/src/ConfigPaths.php: PHP Notice: Writing to /home/lucaswerkmeister-wmde/.config/psysh is not allowed.

This is because we use sudo to run the PHP script as the www-data user, but the environment isn’t reset, so it still tries to write to the calling user’s home directory, which isn’t writable to www-data.

This was already noted by @Tgr in T117661#3757237, but since this message ends up in logstash, I figured it makes sense to have a task for it.

@hashar suggests using sudo --set-home (abbreviated sudo -H), but I think that would end up merging all users’ shell histories – I’m not sure if we want that or not.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 15 2019, 12:28 PM
Lucas_Werkmeister_WMDE triaged this task as Low priority.Jul 15 2019, 12:29 PM
Tgr added a comment.Jul 15 2019, 1:44 PM

We could create a separate www-data-writable config directory for every user. I'm not quite sure of the security implications - if an attacker gains www-data access and is able to mess with PHP files executed by another user sudoing as www-data, can that be used somehow to mess with that user's original (probably more privileged) shell account?

The steps if we go that way would be roughly:

  • make mwscript store the original user as some environment variable (or maybe the shell provides some way to get that, there are some suggestions here)
  • add a $wgPsyShConfig global that gets passed into the Psy\Configuration constructor (or a hook or some other way of per-installation configuration settings)
  • override the config dir, history file etc. settings in Wikimedia production when the current user is www-data, with a value that's based on the original username.

(That would also allow mostly fixing T186936, by disabling forking when the PHP engine is HHVM.)