Page MenuHomePhabricator
Create Task
Maniphest T75206

File upload area resorts to 0777 permissions to for uploaded content
Closed, ResolvedPublic
Actions

Description

(Bryan Davis from https://bugzilla.wikimedia.org/show_bug.cgi?id=73102#c3)

Ran chmod -R =rwX /data/project/upload7 to fix all file permissions.

(Marc A. Pelletier from https://bugzilla.wikimedia.org/show_bug.cgi?id=73102#c4)

Be aware that doing so has given write permission to any authenticated user.
This may not be a catastrophe in practice, but it has security impact.

(Bryan Davis from https://bugzilla.wikimedia.org/show_bug.cgi?id=73102#c5)

(In reply to Marc A. Pelletier from comment #4)

Be aware that doing so has given write permission to any authenticated user.
This may not be a catastrophe in practice, but it has security impact.

This has been the fix for this particular issue as long as I've been helping
in beta. I agree that chmod 0777 is a lame solution, but the uid/gid
mismatches and NFS4 acls are a bit of a blocker to proper management of the
shared file permissions.

(Marc A. Pelletier from https://bugzilla.wikimedia.org/show_bug.cgi?id=73102#c6)

NFSv4 doesn't actually require UID concordance so long as the user /name/
exists on the NFS server do that it doesn't fall back to numerical IDs - the
proper solution to this is to make certain that any user or group that owns
files in the shared filesystem exist on the NFS servers.

In the general Labs case, this is done through LDAP - but users and groups
coming from Debian packages need to either be added (before installation) to
LDAP or added to the NFS servers.

Version: unspecified
Severity: normal

Details

Reference
bz73206

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:45 AM
bzimport added a project: Beta-Cluster-Infrastructure.
bzimport set Reference to bz73206.
bzimport added a subscriber: Unknown Object (MLST).
bd808 created this task.Nov 9 2014, 6:21 PM
bd808 added a comment.Nov 9 2014, 6:33 PM

It should be sufficient for the MediaWiki runtime user (apache) to have read/write for the files and directories under the /data/project/upload7 NFS share. All hosts in the beta cluster should be made to agree on the uid of the apache user. This would probably involve creating an apache user in ldap, fixing all beta hosts to use that user instead of a local user and then fixing the shared file ownership to be 0775 apache:apache.

hashar added a comment.Nov 10 2014, 8:26 AM

We had system users created in LDAP already, bug 66575 for cxserver and bug 63329 for parsoid.

Maybe we need to create in LDAP an apache user with uid 48 and a group with gid 48.

hashar added a comment.Nov 12 2014, 2:19 PM
  • Bug 73309 has been marked as a duplicate of this bug. ***
hashar added a comment.Nov 12 2014, 2:20 PM

Per duplicate bug 73309, this blocks Bug 73229 - beta labs: "error while storing the file in the stash.'

Reedy added a comment.Nov 15 2014, 9:51 AM

root@deployment-bastion:/home/reedy# add-ldap-group --gid=48 apache
Traceback (most recent call last):

File "/usr/local/sbin/add-ldap-group", line 120, in <module>
  main()
File "/usr/local/sbin/add-ldap-group", line 38, in main
  ldapSupportLib.setBindInfoByOptions(options, parser)
File "/usr/local/lib/python2.7/dist-packages/ldapsupportlib.py", line 80, in setBindInfoByOptions
  self.binddn = self.getLdapInfo('USER', '/etc/ldap/.ldapscriptrc')
File "/usr/local/lib/python2.7/dist-packages/ldapsupportlib.py", line 103, in getLdapInfo
  for line in f:

UnboundLocalError: local variable 'f' referenced before assignment

What do you give for a pub key?

add-ldap-user --ui=48 --guid=48 apache ?????

Gilles added a comment.Nov 15 2014, 10:30 AM

Glancing at the source code of add-ldap-group, it seems to expect the existence of the /etc/ldap/.ldapscriptrc file, which would include the credentials to connect to LDAP. There are other options to provide the credentials.

hashar added a comment.Nov 15 2014, 11:06 AM

Sam, that needs to be done on the whole labs LDAP. We probably don't have any credential there.

greg moved this task from To Triage to Backlog on the Beta-Cluster-Infrastructure board.Nov 24 2014, 11:18 PM
greg moved this task from Backlog to Next: Maintenance on the Beta-Cluster-Infrastructure board.Nov 24 2014, 11:23 PM
bd808 added a project: acl*sre-team.Nov 25 2014, 5:48 PM
bd808 added a project: Scrum-of-Scrums.
bd808 moved this task from Scheduled to Blocked on the Scrum-of-Scrums board.
hashar renamed this task from File upload area resorts to 0777 permissions to for uploaded conent to File upload area resorts to 0777 permissions to for uploaded content.Nov 25 2014, 9:04 PM
hashar set Security to None.
Milimetric closed this task as Resolved.Nov 26 2014, 6:37 PM
greg added a comment.Nov 26 2014, 7:40 PM

What was done to resolve this one?

Cmcmahon reopened this task as Open.Nov 26 2014, 8:30 PM
bd808 removed a project: Scrum-of-Scrums.Nov 26 2014, 8:46 PM

T76086: Create labs ldap user and group "apache" to be used for NFS4 access in deployment-prep project filed to track the LDAP user creation which requires SRE to complete.

bd808 closed subtask T76086: Create labs ldap user and group "apache" to be used for NFS4 access in deployment-prep project as Resolved.Dec 9 2014, 10:23 PM
bd808 changed the status of subtask T78076: Make www-data the web-serving user (is currently apache) from Open to Stalled.Dec 13 2014, 5:37 PM
bd808 closed subtask T78473: Change ownership and permissions of /data/project/upload7 as Resolved.Dec 13 2014, 8:12 PM
bd808 added a comment.Dec 13 2014, 9:56 PM

I think the only remaining work for this will be merging https://gerrit.wikimedia.org/r/178690 into rOPUP Wikimedia Puppet to ensure that future beta hosts create the apache user with the expected uid.

chasemp added subscribers: ori, chasemp.Jan 6 2015, 11:32 PM

@ori, you revamped all the apache stuff could you give https://gerrit.wikimedia.org/r/178690 a peek? I'm unsure and this seems like it needs the 'last mile' to close.

yuvipanda subscribed.Jan 14 2015, 8:46 AM
This comment was removed by yuvipanda.
yuvipanda mentioned this in T78076: Make www-data the web-serving user (is currently apache).Jan 14 2015, 8:51 AM
Joe changed the status of subtask T78076: Make www-data the web-serving user (is currently apache) from Stalled to Open.Feb 17 2015, 8:29 AM
Joe closed subtask T78076: Make www-data the web-serving user (is currently apache) as Resolved.Feb 17 2015, 5:06 PM
yuvipanda closed this task as Resolved.Mar 5 2015, 1:33 PM
yuvipanda claimed this task.

Fixed now with all the www-data work.

yuvipanda moved this task from Next: Maintenance to Done on the Beta-Cluster-Infrastructure board.Mar 5 2015, 1:33 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits