Right now we have set permissions of our bytecode cache to 0644 in puppet, which is fine as long as we're serving mediawiki, whose permissions match these. We may want to restrict this to 0640 so that a random user can't read that arbitrarily.
Description
Description
Related Objects
Related Objects
- Mentioned Here
- T229792: Remove HHVM from production
Event Timeline
Comment Actions
this is still the case
mw1015:~$ ls -la /var/cache/hhvm/ total 263776 drwxr-xr-x 2 www-data www-data 4096 Apr 29 12:05 . drwxr-xr-x 15 root root 4096 Feb 10 13:51 .. -rw-r--r-- 1 www-data www-data 4282368 Apr 29 12:05 cli.hhbc.sq3 -rw-r--r-- 1 www-data www-data 265807872 Apr 29 11:40 fcgi.hhbc.sq3
though switching to 0640 should be harmless at least for fcgi byte cache I think.
CLI would still access the bytecode cache in readonly it seems:
mw1015:~$ strace -f -e file php -e 'exit();' 2>&1 | grep var/cache [pid 2977] stat("/var/cache/hhvm/cli.hhbc.sq3", {st_mode=S_IFREG|0644, st_size=4282368, ...}) = 0 [pid 2977] open("/var/cache/hhvm/cli.hhbc.sq3", O_RDWR|O_CREAT|O_CLOEXEC, 0644) = -1 EACCES (Permission denied) [pid 2977] open("/var/cache/hhvm/cli.hhbc.sq3", O_RDONLY|O_CLOEXEC) = 10 [pid 2977] stat("/var/cache/hhvm/cli.hhbc.sq3", {st_mode=S_IFREG|0644, st_size=4282368, ...}) = 0 [pid 2977] access("/var/cache/hhvm/cli.hhbc.sq3-journal", F_OK) = -1 ENOENT (No such file or directory) [pid 2977] access("/var/cache/hhvm/cli.hhbc.sq3-wal", F_OK) = -1 ENOENT (No such file or directory) [pid 2977] access("/var/cache/hhvm/cli.hhbc.sq3-journal", F_OK) = -1 ENOENT (No such file or directory) [pid 2977] access("/var/cache/hhvm/cli.hhbc.sq3-wal", F_OK) = -1 ENOENT (No such file or directory)