Page MenuHomePhabricator

C_FORCE_ROOT is bad, change pickle as serialization format for celery
Closed, DeclinedPublic

Description

To fix a recent bug I had to upgrade celery. But this highlighted that we have a security issue due to Celery running as root and pickle being the default serialization format. We need to:

  1. stop running Celery as root (configure upstart)
  2. stop using pickle as the serialization format

Version: unspecified
Severity: normal

Details

Reference
bz60289

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:52 AM
bzimport set Reference to bz60289.

bingle-admin wrote:

Prioritization and scheduling of this bug is tracked on Mingle card https://wikimedia.mingle.thoughtworks.com/projects/analytics/cards/cards/1396

csalvia wrote:

Going to change pickle to JSON

(In reply to comment #0)

  1. stop running Celery as root (configure upstart)

The Puppet module provisions an Upstart job which sets gid/uid to wikimetrics.

Thanks Ori, that's a good point. Wikimetrics came before its puppetization, so the "production" instance suffers from this problem. We should fix it by puppetizing it.

mforns subscribed.

Declining because Wikimetrics is being discontinued. See: T211835.

Restricted Application added a subscriber: jeblad. · View Herald Transcript