Page MenuHomePhabricator
Create Task
Maniphest T67548

Users with primary group of 550(svn) cannot sudo as mwdeploy on deployment-bastion
Closed, ResolvedPublic
Actions

Description

I used to be able to sudo as mwdeploy but now can't.

I am in the 'svn' group.

sudo -u mwdeploy -- touch extensions/Wikidata/extensions/Wikibase/lib/resources/wikibase.utilities/wikibase.utilities.GuidGenerator.js
[sudo] password for aude:
Sorry, user aude is not allowed to execute '/usr/bin/touch extensions/Wikidata/extensions/Wikibase/lib/resources/wikibase.utilities/wikibase.utilities.GuidGenerator.js' as mwdeploy on deployment-bastion.eqiad.wmflabs.

Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=63028

Details

Reference
bz65548

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:08 AM
bzimport added a project: Beta-Cluster-Infrastructure.
bzimport set Reference to bz65548.
aude created this task.May 20 2014, 7:51 PM
gerritbot added a comment.May 20 2014, 9:14 PM

Change 134491 had a related patch set uploaded by BryanDavis:
Labs: Add deployment related sudoer rules for svn group

https://gerrit.wikimedia.org/r/134491

Dzahn added a comment.May 20 2014, 9:19 PM

Does this mean the users should be converted like in:

https://bugzilla.wikimedia.org/show_bug.cgi?id=64596

(instead of working around it)?

bd808 added a comment.May 21 2014, 1:09 AM

(In reply to Daniel Zahn from comment #2)

Does this mean the users should be converted like in:

https://bugzilla.wikimedia.org/show_bug.cgi?id=64596

(instead of working around it)?

I think it's related but slightly different. The problem here is actually https://bugzilla.wikimedia.org/show_bug.cgi?id=63028. Aude, hashar and apparently about 400 other users have a primary gid of 550(svn) instead of 500(wikidev). This wouldn't be too big of a deal if they were also members of the 500(wikidev) group, but they are not.

I think the best fix for this would be to update all users that have 550(svn) as their primary group to have 500(wikidev) as their primary group.

Following that one of two things should happen, either all files owned by group 550(svn) should be changed to 500(wikidev) across all of labs, or probably more rationally all users in the 500(wikidev) group should be added to the 550(svn) as a secondary group. If the later action is taken the script that creates new users in ldap should also be updated to add all future users to the 550(svn) group as a secondary group.

gerritbot added a comment.May 21 2014, 3:04 PM

Change 134491 merged by Dzahn:
Labs: Add deployment related sudoer rules for svn group

https://gerrit.wikimedia.org/r/134491

gerritbot added a comment.May 27 2014, 8:08 PM

Change 135622 had a related patch set uploaded by BryanDavis:
Revert "Labs: Add deployment related sudoer rules for svn group"

https://gerrit.wikimedia.org/r/135622

gerritbot added a comment.May 27 2014, 10:12 PM

Change 135622 merged by Dzahn:
Revert "Labs: Add deployment related sudoer rules for svn group"

https://gerrit.wikimedia.org/r/135622

greg moved this task from To Triage to Done on the Beta-Cluster-Infrastructure board.Mar 5 2015, 4:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL