Page MenuHomePhabricator

C_FORCE_ROOT is bad, change pickle as serialization format for celery
Closed, DeclinedPublic

Description

To fix a recent bug I had to upgrade celery. But this highlighted that we have a security issue due to Celery running as root and pickle being the default serialization format. We need to:

  1. stop running Celery as root (configure upstart)
  2. stop using pickle as the serialization format

Version: unspecified
Severity: normal

Details

Reference
bz60289

Related Objects

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 2:52 AM
bzimport set Reference to bz60289.

bingle-admin wrote:

Prioritization and scheduling of this bug is tracked on Mingle card https://wikimedia.mingle.thoughtworks.com/projects/analytics/cards/cards/1396

csalvia wrote:

Going to change pickle to JSON

ori added a comment.Jan 29 2014, 2:57 PM

(In reply to comment #0)

  1. stop running Celery as root (configure upstart)

The Puppet module provisions an Upstart job which sets gid/uid to wikimetrics.

Thanks Ori, that's a good point. Wikimetrics came before its puppetization, so the "production" instance suffers from this problem. We should fix it by puppetizing it.

mforns closed this task as Declined.Mar 26 2019, 2:26 PM
mforns added a subscriber: mforns.

Declining because Wikimetrics is being discontinued. See: T211835.

Restricted Application added a project: Analytics. · View Herald TranscriptMar 26 2019, 2:26 PM
Restricted Application added a subscriber: jeblad. · View Herald Transcript