Page MenuHomePhabricator

Assign oathauth-verify-user to bureaucrats on WMF wikis
Open, LowestPublic


Bureaucrats on WMF wiki's are given the ability to issue interface administrator access to other users, and WMF has required that holders of this group have 2FA enabled. This access will allow these groups to ensure that the foundation requirements are met before performing that action.

This tool was created in T209749, see similar permission rollout in T251447

Event Timeline

This needs approval by WMF legal.

Somewhat expect this to be controversial and need some weigh in. One the one hand, there is no way for these users to ensure this is in place before extending sensitive access - on the other hand some projects have a staggering amount of bureaucrats for some reason that this would extend the query access to (e.g. eswiki has 68 crats!). I'd say only on projects where bureaucrats can issues interface-admin, but that is currently all of the projects.

As the WMF-Legal project tag was added to this task, some general information to avoid wrong expectations:
Please note that public tasks in Wikimedia Phabricator are in general not a place where to expect feedback from the Legal Team of the Wikimedia Foundation due to the scope of the team and/or nature of legal topics. See the project tag description.
Please see for when and how to contact the Legal Team. Thanks!

Please see for when and how to contact the Legal Team

Has anyone left them a message?

(e.g. eswiki has 68 crats!)

That's because we grant both permissions upon a successful RfA.

2FA logins are global, so this would mean someone taking over an xywiki bureaucrat account could check which valuable accounts on large wikis are easy targets. Once T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production gets enforced, that might be an acceptable risk, as account takeover is not terribly damaging for non-sensitive accounts; for now, I'm not sure it is a good idea.

@Tgr - we also allow all those 'crats to issue int-admin to anyone - but they are not supposed to do it unless the accounts have 2FA -- but they aren't able to actually check that so they just give it to anyone that claims they have 2FA, defeating the control (also not allowing audit to see if 2FA has been disabled). I expected this to be a bit borderline due to the way some projects (such as eswiki I mentioned above) give out 'crat to lots of users.

I suppose being able to make others into interface admin is already dangerous enough that 2FA checks do not add much risk; but the former has a public audit trail which makes abusing it much more difficult. How are 2FA checks logged?

Private log available only to stewards

Urbanecm triaged this task as Lowest priority.Dec 15 2020, 10:55 AM

(this is a configuration change, not a change to the extension itself)

Assuming T282624 completes, this will become invalid.