Page MenuHomePhabricator

Tighten permissions on HHVM bytecode cache
Closed, DeclinedPublic

Description

Right now we have set permissions of our bytecode cache to 0644 in puppet, which is fine as long as we're serving mediawiki, whose permissions match these. We may want to restrict this to 0640 so that a random user can't read that arbitrarily.

Related Objects

Event Timeline

Joe raised the priority of this task from to Lowest.
Joe updated the task description. (Show Details)
Joe added projects: ops-core, HHVM, Puppet.
Joe updated the task description. (Show Details)
Joe set Security to None.
Joe added subscribers: Joe, fgiunchedi.

this is still the case

mw1015:~$ ls -la /var/cache/hhvm/
total 263776
drwxr-xr-x  2 www-data www-data      4096 Apr 29 12:05 .
drwxr-xr-x 15 root     root          4096 Feb 10 13:51 ..
-rw-r--r--  1 www-data www-data   4282368 Apr 29 12:05 cli.hhbc.sq3
-rw-r--r--  1 www-data www-data 265807872 Apr 29 11:40 fcgi.hhbc.sq3

though switching to 0640 should be harmless at least for fcgi byte cache I think.
CLI would still access the bytecode cache in readonly it seems:

mw1015:~$ strace -f -e file php -e 'exit();' 2>&1 | grep var/cache
[pid  2977] stat("/var/cache/hhvm/cli.hhbc.sq3", {st_mode=S_IFREG|0644, st_size=4282368, ...}) = 0
[pid  2977] open("/var/cache/hhvm/cli.hhbc.sq3", O_RDWR|O_CREAT|O_CLOEXEC, 0644) = -1 EACCES (Permission denied)
[pid  2977] open("/var/cache/hhvm/cli.hhbc.sq3", O_RDONLY|O_CLOEXEC) = 10
[pid  2977] stat("/var/cache/hhvm/cli.hhbc.sq3", {st_mode=S_IFREG|0644, st_size=4282368, ...}) = 0
[pid  2977] access("/var/cache/hhvm/cli.hhbc.sq3-journal", F_OK) = -1 ENOENT (No such file or directory)
[pid  2977] access("/var/cache/hhvm/cli.hhbc.sq3-wal", F_OK) = -1 ENOENT (No such file or directory)
[pid  2977] access("/var/cache/hhvm/cli.hhbc.sq3-journal", F_OK) = -1 ENOENT (No such file or directory)
[pid  2977] access("/var/cache/hhvm/cli.hhbc.sq3-wal", F_OK) = -1 ENOENT (No such file or directory)
Krinkle subscribed.

Obsolete per T229792.