Page MenuHomePhabricator
Create Task
Maniphest T89802

Can't run mwscript without explicit sudo on Beta Cluster
Closed, ResolvedPublic
Actions

Description

I tried to test a maintenence script on Beta Cluster (ssh-ed into deployment-bastion.eqiad.wmflabs):

mwscript extensions/Flow/maintenance/FlowFixEditCount.php --wiki=enwiki

It prompts for my password, which of course I don't know.

It turns out (thanks @Krenair) that the workaround is:

sudo mwscript extensions/Flow/maintenance/FlowFixEditCount.php --wiki=enwiki

but this seems unnecessary (there is already logic in the script about doing sudo, so it should work).

Related Objects

Event Timeline

Mattflaschen-WMF created this task.Feb 18 2015, 6:03 AM
Mattflaschen-WMF raised the priority of this task from to Needs Triage.
Mattflaschen-WMF updated the task description. (Show Details)
Mattflaschen-WMF added subscribers: Mattflaschen-WMF, Krenair.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 18 2015, 6:03 AM
Mattflaschen-WMF added a project: Beta-Cluster-Infrastructure.Feb 18 2015, 6:05 AM
Krenair added a comment.Feb 18 2015, 6:12 AM

(obviously the workaround is for projectadmins only, and shouldn't really be encouraged... although this is beta so...)

Aklapper triaged this task as Lowest priority.Feb 18 2015, 9:31 AM
Krenair raised the priority of this task from Lowest to Needs Triage.Feb 18 2015, 12:09 PM
Krenair set Security to None.
greg renamed this task from Can't run mwscript without explicit sudo on Beta Labs to Can't run mwscript without explicit sudo on Beta Cluster.Feb 18 2015, 4:23 PM
greg updated the task description. (Show Details)
Krenair added a comment.EditedFeb 18 2015, 4:38 PM

Probably caused by T78076

Current workaround is to "sudo -u www-data mwscript"

Krenair mentioned this in T78076: Make www-data the web-serving user (is currently apache).Feb 18 2015, 4:40 PM
bd808 subscribed.Feb 18 2015, 4:48 PM

The current mwscript still tries to sudo apache and normal users no longer have that right in beta. The script should be changed in operations/puppet.git to sudo www-data instead but that will require Ops intervention and probably applying the apache -> www-data file ownership conversions of T78076 on tin and terbium.

greg triaged this task as Medium priority.Mar 2 2015, 5:21 PM
greg moved this task from To Triage to Backlog on the Beta-Cluster-Infrastructure board.
yuvipanda closed this task as Resolved.Mar 5 2015, 1:19 PM
yuvipanda claimed this task.
yuvipanda moved this task from Backlog to Done on the Beta-Cluster-Infrastructure board.
yuvipanda subscribed.

mwscript and other scripts now use www-data.

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:54 PM
Dzahn subscribed.May 6 2019, 10:36 PM

The ability to run commands as the "apache" user has been removed from the prod admins module today.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL