Page MenuHomePhabricator

Cannot write some tmp files as another user than "nobody"
Closed, ResolvedPublic

Description

List of steps to reproduce (step by step, including full links if applicable):
The following steps are just for reproduction. The actual problem I've faced is PHPUnit run. (similar to mw dev mw exec -- composer phpunit tests/phpunit/unit/includes/libs/uuid/GlobalIdGeneratorTest.php)

# Create mwdd containers
mw dev mw create && mw dev mysql create

# Clone StructuredDiscussions(Flow)
git clone --depth 1 https://github.com/wikimedia/mediawiki-extensions-Flow.git "$(mw dev env get MEDIAWIKI_VOLUMES_CODE)/extensions/"

# Install MediaWiki
mw dev mw install --dbtype mysql

# Modify LocalSettings.php
echo "wfLoadExtension('Flow');" >> "$(mw dev env get MEDIAWIKI_VOLUMES_CODE)/LocalSettings.php"
echo "\$wgNamespaceContentModels[NS_TALK] = 'flow-board';" >> "$(mw dev env get MEDIAWIKI_VOLUMES_CODE)/LocalSettings.php"

# Do schema update for Flow
mw dev mw exec -- php maintenance/update.php --quick

Visit http://default.mediawiki.mwdd.localhost:8080/w/index.php?title=Talk:Main_Page and create a topic.

Start a shell by executing mw dev mw exec bash.

# Confirm tmporary files are created by "nobody"
ls /tmp -l
# total 20
# -rw-rw-rw- 1 nobody nogroup 4385 Oct 19 05:05 LocalSettings.php
# -rw-rw-rw- 1 nobody nogroup   18 Oct 19 05:12 mw-GlobalIdGenerator-UID-88
# -rw-rw-rw- 1 nobody nogroup   12 Oct 19 05:12 mw-GlobalIdGenerator-UID-nodeid
# -rw------- 1 root   root     184 Oct 19 05:03 php7.3-fpm.log

# Start another shell
php maintenance/shell.php

then execute \MediaWiki\MediaWikiServices::getInstance()->getGlobalIdGenerator()->newTimestampedUID88();

What happens?:

An exception is thrown:

<warning>PHP Warning: fopen(/tmp/mw-GlobalIdGenerator-UID-88): failed to open stream: Permission denied in /var/www/html/w/includes/libs/uuid/GlobalIdGenerator.php on line 437</warning>
RuntimeException with message 'Could not open '/tmp/mw-GlobalIdGenerator-UID-88'.'

What should have happened instead?:

No exception should be thrown and the output should be printed.
Internally, /tmp/mw-GlobalIdGenerator-UID-88 would be updated.

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc:

mwcli: v0.5.0

Maybe this is expected behavior. Feel free to close this if it is the case. If so, the help message about PHPUnit of mw dev mw exec should be changed to...

exec --user nobody -- composer phpunit tests/phpunit/unit/includes/XmlTest.php # Run a single test

Although running PHPUnit as 'nobody' seems to have another permission problem :(

Event Timeline

Hmm, this looks very similar to T292611: Cannot properly setup StructuredDiscussions via mwcli
Is T292611 no longer happening and this just looks similar but has a different cause?

Hmm, this looks very similar to T292611: Cannot properly setup StructuredDiscussions via mwcli
Is T292611 no longer happening and this just looks similar but has a different cause?

T292611 is no longer happening to me.
'/tmp/mw-GlobalIdGenerator-UID-88' do exist but just is not writable to 1000 or the root user.

Lens0021 updated the task description. (Show Details)

SO I can't reproduce this, but that might be an indication of another bug.

image.png (295×1 px, 52 KB)

What happens if you re run mediawiki create and try again?

I've found I missed some steps to reproduce. I will update the description of this task later.

The causes of this are:

  • The first call of newTimestampedUID88() creates '/tmp/mw-GlobalIdGenerator-UID-88' file I guess.
  • If a user creates a topic or do something using Flow, the function would be called by nobody.
  • A call of the function on shell.php also can create the file as 1000 if the file does not exist.

Therefore, the problem would happen If the creation by nobody is prior to the writing attempt by 1000.

Lens0021 renamed this task from Cannot write some tmp files as another user than 'nobody' to Cannot write some tmp files as another user than "nobody".Oct 19 2021, 5:25 AM
Lens0021 updated the task description. (Show Details)

/tmp seems to be a requirement of reproduction as mw dev mw exec php maintenance/rebuildLocalisationCache.php -- --lang en --force successfully overwrites /var/www/html/w/images/docker/default/cache/l10n_cache-en.cdb which could be owned by nobody:nogroup if autogenerated by the web server when a user visit any wiki page.

/var/www/html/w/images/docker/default/cache/ looks like an interesting path too, afaik some of these should have changed recently.
I would have expected this file to not be in images any more
https://gitlab.wikimedia.org/releng/cli/-/blob/main/internal/mwdd/files/embed/mediawiki.yml#L12-13
But indeed there is some other config that i should update pointing at the data dir
https://gitlab.wikimedia.org/releng/cli/-/blob/main/internal/mwdd/files/embed/mediawiki/MwddSettings.php#L257

These 2 locations currently have some special behaviour beyond the norm
https://gitlab.wikimedia.org/releng/cli/-/blob/main/cmd/mwdd_mediawiki.go#L294-295
But ideally I would get rid of this?

I think a possible alternative would be either setting some permissions on /tmp OR setting mediawiki to point at a /tmp dir in the data dir.

Another thing to not is that the PHP mediawiki processes should now all have a umask set on them, all be it through a small hack.
https://gitlab.wikimedia.org/releng/cli/-/blob/main/cmd/mwdd_mediawiki.go#L294-295
https://gitlab.wikimedia.org/releng/cli/-/blob/main/internal/mwdd/files/embed/mediawiki/MwddInstall.php#L6-8
Which also changes some of this behaviour

Just re confirming today that this still happens

I have no name!@492b58980b03:/var/www/html/w$ php maintenance/shell.php
Psy Shell v0.10.12 (PHP 8.0.11 — cli) by Justin Hileman
>>>
>>>
>>> \MediaWiki\MediaWikiServices::getInstance()->getGlobalIdGenerator()->newTimestampedUID88();
<warning>PHP Warning:  fopen(/tmp/mw-GlobalIdGenerator-UID-88): Failed to open stream: Permission denied in /var/www/html/w/includes/libs/uuid/GlobalIdGenerator.php on line 437</warning>
RuntimeException with message 'Could not open '/tmp/mw-GlobalIdGenerator-UID-88'.'
Addshore moved this task from Review to Pending Release on the mwcli board.

v0.10.0