Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/291202
Change subject: Enable firejail for image scaling ...................................................................... Enable firejail for image scaling This enables firejail for the bulk of image scaling (some extensions need more work). This uses a wrapper which invokes convert(1) with a Firejail profile which runs the scaling in a sandbox which: - implements a seccomp filter which blocks common, potentially harmful system calls typically used in privilege escalation exploits - drops all capabilities - disables the root user - mounts of private /dev directory which only provides requires pseudo devices like /dev/zero, ttys or /dev/(u)random - creates an unconnected network namespace with only a loopback interface - blacklists access to various directories (e.g. /etc/ssh, /home/, sbin dirs) One thing I would like to add in the future is to use a local overlayfs for /tmp (but that will only be available once we migrate to jessie since it requires a Linux kernel >= 3.18). The wrapper can also be reused at a later point when we move to Thumbor (and we can also provide it for our mediawiki distribution so that others can deploy that change as well). I have already enabled this change as a canary on mw1153 without any problems (but will revert later on since this is not a change to make on a Friday) with the plan to merge on Monday. Bug: T135111 Change-Id: Ia02b8fc72449367ad1afa231d0548c2d561494ad --- M wmf-config/CommonSettings.php 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/mediawiki-config refs/changes/02/291202/1 diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php index 32df79a..f9df1b0 100644 --- a/wmf-config/CommonSettings.php +++ b/wmf-config/CommonSettings.php @@ -447,7 +447,7 @@ $wgUseImageResize = true; $wgUseImageMagick = true; -$wgImageMagickConvertCommand = '/usr/bin/convert'; +$wgImageMagickConvertCommand = '/usr/local/bin/mediawiki-firejail-convert'; $wgSharpenParameter = '0x0.8'; # for IM>6.5, T26857 $wgFileBlacklist[] = 'txt'; -- To view, visit https://gerrit.wikimedia.org/r/291202 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ia02b8fc72449367ad1afa231d0548c2d561494ad Gerrit-PatchSet: 1 Gerrit-Project: operations/mediawiki-config Gerrit-Branch: master Gerrit-Owner: Muehlenhoff <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
