jenkins-bot has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/396080 )
Change subject: shell: Add NO_LOCALSETTINGS restriction
......................................................................
shell: Add NO_LOCALSETTINGS restriction
Most secret information like database passwords are kept in LocalSettings.php,
so blacklisting that file by default would take away a lot of information an
attacker would want.
Since most commands shouldn't need to read the PHP configuration, add it to
RESTRICT_DEFAULT. People can still use:
$cmd->restrict( Shell::RESTRICT_DEFAULT & ~Shell::NO_LOCALSETTINGS );
if they need to still access LocalSettings.php
Bug: T182484
Change-Id: I4032e2706e808e9b819e92a06eff536ccf043388
---
M includes/shell/FirejailCommand.php
M includes/shell/Shell.php
M tests/phpunit/includes/shell/FirejailCommandTest.php
3 files changed, 15 insertions(+), 3 deletions(-)
Approvals:
Gergő Tisza: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/shell/FirejailCommand.php
b/includes/shell/FirejailCommand.php
index 79f679d..68a1822 100644
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -110,6 +110,10 @@
}
}
+ if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
+ $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
+ }
+
if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
$cmd[] = '--noroot';
}
diff --git a/includes/shell/Shell.php b/includes/shell/Shell.php
index 084e10e..05463db 100644
--- a/includes/shell/Shell.php
+++ b/includes/shell/Shell.php
@@ -45,13 +45,13 @@
* Apply a default set of restrictions for improved
* security out of the box.
*
- * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV
+ * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS
*
* @note This value will change over time to provide increased security
* by default, and is not guaranteed to be backwards-compatible.
* @since 1.31
*/
- const RESTRICT_DEFAULT = 7;
+ const RESTRICT_DEFAULT = 39;
/**
* Disallow any root access. Any setuid binaries
@@ -93,6 +93,13 @@
const NO_EXECVE = 16;
/**
+ * Deny access to LocalSettings.php (MW_CONFIG_FILE)
+ *
+ * @since 1.31
+ */
+ const NO_LOCALSETTINGS = 32;
+
+ /**
* Returns a new instance of Command class
*
* @param string|string[] $command String or array of strings
representing the command to
diff --git a/tests/phpunit/includes/shell/FirejailCommandTest.php
b/tests/phpunit/includes/shell/FirejailCommandTest.php
index c9db74f..57d820e 100644
--- a/tests/phpunit/includes/shell/FirejailCommandTest.php
+++ b/tests/phpunit/includes/shell/FirejailCommandTest.php
@@ -31,7 +31,8 @@
// @codingStandardsIgnoreEnd
$limit = "$IP/includes/shell/limit.sh";
$profile = "--profile=$IP/includes/shell/firejail.profile";
- $default = '--noroot --seccomp=@default --private-dev';
+ $blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE );
+ $default = "$blacklist --noroot --seccomp=@default
--private-dev";
return [
[
'No restrictions',
--
To view, visit https://gerrit.wikimedia.org/r/396080
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I4032e2706e808e9b819e92a06eff536ccf043388
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Legoktm <[email protected]>
Gerrit-Reviewer: Gergő Tisza <[email protected]>
Gerrit-Reviewer: Legoktm <[email protected]>
Gerrit-Reviewer: MaxSem <[email protected]>
Gerrit-Reviewer: Tim Starling <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
