Page MenuHomePhabricator
Create Task
Maniphest T42739

Run pollForChanges as user
Closed, ResolvedPublic
Actions

Description

Here is what Katie proposed so that we stop running the script as root:

  1. create a new user on the systems, such as "wikidata", with some shared password. We can "su wikidata" (or "sudo -u wikidata" ) and run things as that user, such as pollforchanges.
  2. put user "wikidata" it into group: www-data
  3. change permissions on all our mediawiki instances to:

chown -Rf wikidata:www-data /var/www

sudo chmod -R g+s /var/www (I'm not 100% sure about this but think it's right)

Version: unspecified
Severity: normal

Details

Reference
bz40739

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:58 AM
bzimport added a project: MediaWiki-extensions-WikibaseClient.
bzimport set Reference to bz40739.
bzimport added a subscriber: Unknown Object (MLST).
silke created this task.Oct 3 2012, 12:13 PM
silke added a comment.Oct 5 2012, 12:57 PM

I created a system user ("wikidata") in the www-data group.

In a first step, this user's crontab now monitors if pollForChanges is running at all and if not it starts it as the wikidata user.

I refuse to put the sgid bit on everything in /var/www because of security risks. Using the suid bit just on pollForChanges does not work on a php script.

Question back to the developers: Can you specify the uid or user name under which the script is running directly *in* the script? (On dev this would be "wikidata", uid=115, gid=33.)

daniel added a comment.Oct 5 2012, 1:41 PM

If you are root, you can "become" another user from inside php: http://php.net/manual/en/function.posix-setuid.php

However, beware the consequences. For instance, if the pid file was written as root, it may not be readable once the script runs as ordinary user.

But...

  • why is it not sufficient to just call the script as a different user?
  • Why do you thing SGID is a security risk? SUID is, but SGID should be safe enough: http://www.library.yale.edu/wsg/docs/permissions/sgid.htm
  • SUID does not work on script files at all.
  • You should probably add www-data to the wikidata group (and/or vice versa?)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL