r91703 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r91702‎ \| r91703 \| r91704 >
Date:	00:50, 8 July 2011
Author:	tstarling
Status:	ok
Tags:
Comment:	* Sync script updates for improved privilege separation. A new user (mwdeploy) is created, which owns all the files in common-local. The texvc install is run as this user. Previously there was a potential for privilege escalation when root users executed scripts which were writable by wikidev. Now the scripts are only run as the unprivileged user, mwdeploy. * Merged sync-common-all and scap. The distinction was pretty stupid to start with, and only got more stupid as time went by, as functionality was copied from scap to sync-common-all. * Installed texvc to a directory writable by mwdeploy, instead of to /usr/local/bin. We would have needed to change the directory for HetDeploy anyway.
Modified paths:	/trunk/debs/wikimedia-task-appserver/debian/postinst (modified) (history) /trunk/debs/wikimedia-task-appserver/debian/postrm (modified) (history) /trunk/debs/wikimedia-task-appserver/debian/rules (modified) (history) /trunk/debs/wikimedia-task-appserver/install-common (deleted) (history) /trunk/debs/wikimedia-task-appserver/scap-1 (modified) (history) /trunk/debs/wikimedia-task-appserver/scap-1skins (modified) (history) /trunk/debs/wikimedia-task-appserver/scap-2 (modified) (history) /trunk/debs/wikimedia-task-appserver/set-group-write2 (deleted) (history) /trunk/debs/wikimedia-task-appserver/sync-common (modified) (history)

Diff [purge]

Index: trunk/debs/wikimedia-task-appserver/set-group-write2
—	—	@@ -1,9 +0,0 @@
2		~~-#!/bin/bash~~
3		-
4		~~-PATH=/bin:/usr/bin:/sbin:/usr/sbin~~
5		-
6		~~-target1=/var/tmp/texvc~~
7		~~-target2=/apache/common/php-1.17~~
8		-
9		~~-find $target1 -group wikidev -not -perm -020 -perm -200 -exec chmod g+w '{}' ';'~~
10		~~-find $target2 -group wikidev -not -perm -020 -perm -200 -exec chmod g+w '{}' ';'~~
Index: trunk/debs/wikimedia-task-appserver/install-common
—	—	@@ -1,3 +0,0 @@
2		~~-#!/bin/sh~~
3		-
4		~~-cp /var/tmp/texvc/texvc /usr/local/bin/~~
Index: trunk/debs/wikimedia-task-appserver/debian/postinst
—	—	@@ -29,6 +29,12 @@
30	30	then
31	31	adduser --system --home /var/www --shell /sbin/nologin --no-create-home --uid 48 --gid 48 --disabled-password apache
32	32	fi
	33	+
	34	+ if ! getent passwd mwdeploy > /dev/null
	35	+ then
	36	+ adduser --system --home /var/www --shell /sbin/nologin --no-create-home --group --disabled-password mwdeploy
	37	+ fi
	38	+
33	39	}
34	40
35	41	case "$1" in
Index: trunk/debs/wikimedia-task-appserver/debian/postrm
—	—	@@ -21,7 +21,9 @@
22	22	purge)
23	23	# Remove apache user
24	24	deluser apache \|\| true
	25	+ deluser mwdeploy \|\| true
25	26	delgroup apache \|\| true
	27	+ delgroup mwdeploy \|\| true
26	28
27	29	;;
28	30	remove)
Index: trunk/debs/wikimedia-task-appserver/debian/rules
—	—	@@ -51,8 +51,7 @@
52	52	# Install sync/check scripts
53	53	install -d -m 0755 $(DESTDIR)/usr/bin
54	54	install -d -m 0755 $(DESTDIR)/usr/sbin
55		~~- install -m 0750 sync-common apache-sanity-check apache-start check-time scap-1skins scap-1 $(DESTDIR)/usr/bin~~
56		~~- install -m 0750 scap-2 set-group-write2 install-common $(DESTDIR)/usr/sbin~~
	55	+ install -m 0755 sync-common apache-sanity-check apache-start check-time scap-1skins scap-1 scap-2 $(DESTDIR)/usr/bin
57	56
58	57	# Build architecture-independent files here.
59	58	binary-indep: build install
Index: trunk/debs/wikimedia-task-appserver/sync-common
—	—	@@ -1,28 +1,3 @@
2	2	#!/bin/sh
3		-#
4		~~-# This is an aggregated version of the scripts called by /home/w/bin/sync-common,~~
5		~~-# not depending on NFS /home.~~
	3	+/usr/bin/scap-1
6	4
7		~~-set -e~~
8		~~-umask 002~~
9		-
10		~~-export PATH=/bin:/usr/bin:/sbin:/usr/sbin~~
11		-
12		~~-# Set ownership~~
13		~~-[ -d /usr/local/apache/common-local/php-1.17 ] \|\| mkdir -p /usr/local/apache/common-local/php-1.17~~
14		~~-find /usr/local/apache/common/php-1.17 -group wikidev -not -perm -020 -perm -200 -exec chmod g+w '{}' ';'~~
15		-
16		~~-# Compile texvc~~
17		~~-echo -n Compiling texvc...~~
18		~~-[ -d /var/tmp/texvc ] \|\| mkdir /var/tmp/texvc~~
19		~~-rsync -r --exclude=.svn/ 10.0.5.8::common/php-1.17/math/ /var/tmp/texvc~~
20		~~-cd /var/tmp/texvc~~
21		~~-make -f Makefile texvc >/dev/null 2>/dev/null && echo ok \|\| echo failed~~
22		~~-sudo /usr/sbin/install-common~~
23		~~-cd -~~
24		~~-rm -rf /var/tmp/texvc~~
25		-
26		~~-# rsync common~~
27		~~-echo -n Copying to `hostname -s`...~~
28		~~-rsync -a --delete '--exclude=**/.svn/lock' 10.0.5.8::common/ /usr/local/apache/common-local~~
29		~~-echo Done.~~
Index: trunk/debs/wikimedia-task-appserver/scap-1
—	—	@@ -1,14 +1,20 @@
2	2	#!/bin/sh
3	3
4		~~-# Compile as regular user~~
5		~~-echo -n Compiling texvc...~~
6		~~-[ -d /var/tmp/texvc ] \|\| mkdir /var/tmp/texvc~~
7		~~-rsync -r --exclude=.svn/ 10.0.5.8::common/php-1.17/math/ /var/tmp/texvc~~
8		~~-cd /var/tmp/texvc~~
9		~~-make -f Makefile texvc >/dev/null 2>/dev/null && echo ok \|\| echo failed~~
	4	+if [ ! -d /usr/local/apache/common-local ];then
	5	+ if ! install -d -o mwdeploy -g mwdeploy /usr/local/apache/common-local; then
	6	+ echo "Unable to create common-local, please re-run this script as root."
	7	+ exit 1
	8	+ fi
	9	+fi
10	10
11		~~-# Copy and install as root~~
12		~~-sudo /usr/sbin/scap-2~~
	11	+if [ ! -d /usr/local/apache/uncommon ];then
	12	+ if ! install -d -o mwdeploy -g mwdeploy /usr/local/apache/uncommon; then
	13	+ echo "Unable to create /usr/local/apache/uncommon, please re-run this script as root."
	14	+ exit 1
	15	+ fi
	16	+fi
13	17
	18	+sudo -u mwdeploy /usr/bin/scap-2
	19	+
14	20	echo Done
15	21
Index: trunk/debs/wikimedia-task-appserver/scap-2
—	—	@@ -2,12 +2,39 @@
3	3
4	4	PATH=/bin:/usr/bin:/sbin:/usr/sbin:
5	5
6		~~-echo -n Updating php-1.17...~~
7		~~-rsync -a 10.0.5.8::common/php-1.17/ /usr/local/apache/common-local/php-1.17 && echo ok \|\| echo failed~~
	6	+echo -n Copying to `hostname -s`...
	7	+if rsync -a --delete --exclude=**/.svn/lock --no-perms \
	8	+ 10.0.5.8::common/ /usr/local/apache/common-local
	9	+then
	10	+ echo ok
	11	+else
	12	+ echo failed
	13	+ exit 1
	14	+fi
8	15
9		~~-# Install compiled executables~~
10		~~-/usr/sbin/install-common~~
11	16
12		~~-echo -n "Restarting apache... "~~
13		~~-/usr/bin/apache-sanity-check && ( sudo /usr/sbin/apache2ctl stop; sudo killall -9 apache2;sleep 3; sudo /usr/sbin/apache2ctl start )~~
	17	+echo -n Compiling texvc...
14	18
	19	+builddir=`mktemp -dt texvc-build.XXXXXXXXXX`
	20	+if [ -z "$builddir" ]; then
	21	+ echo "Unable to create temporary directory"
	22	+ exit 1
	23	+fi
	24	+
	25	+rsync -r --exclude=.svn/ /usr/local/apache/common-local/php-1.17/math/ "$builddir"
	26	+cd "$builddir"
	27	+if make -f Makefile texvc >/dev/null 2>/dev/null; then
	28	+ echo ok
	29	+ install -d /usr/local/apache/uncommon/1.17/bin
	30	+ install -m 755 "$builddir"/texvc /usr/local/apache/uncommon/1.17/bin
	31	+else
	32	+ echo failed
	33	+ exit 1
	34	+fi
	35	+rm -r "$builddir"
	36	+cd /
	37	+
	38	+
	39	+#echo -n "Restarting apache... "
	40	+#/usr/bin/apache-sanity-check && ( sudo /usr/sbin/apache2ctl stop; sudo killall -9 apache2;sleep 3; sudo /usr/sbin/apache2ctl start )
	41	+
Index: trunk/debs/wikimedia-task-appserver/scap-1skins
—	—	@@ -1,5 +1,8 @@
2		~~-#!/bin/sh~~
	2	+#!/bin/bash
3	3
4		~~-rsync -a 10.0.5.8::common/php-1.17/skins/ \~~
5		~~- /usr/local/apache/common-local/php-1.17/skins \~~
6		~~- && echo ok \|\| echo failed~~
	4	+sudo -u mwdeploy sh -c '
	5	+rsync -a --no-perms 10.0.5.8::common/php-1.17/skins/ \
	6	+/usr/local/apache/common-local/php-1.17/skins && \
	7	+echo ok \|\| \
	8	+echo failed
	9	+'

Follow-up revisions

Revision	Commit summary	Author	Date
r92611	* Added MWMultiVersion::getVersionNumber method and use it for various dirs (...	aaron	08:14, 20 July 2011
r96377	MFT r91703-r95805 from debs/wikimedia-task/appserver	aaron	22:13, 6 September 2011

Status & tagging log

19:12, 9 August 2011 Aaron Schulz (talk | contribs) changed the status of r91703 [removed: new added: ok]