[Bug 73102] An inserted image gives 403 Forbidden
https://bugzilla.wikimedia.org/show_bug.cgi?id=73102 Bryan Davis bda...@wikimedia.org changed: What|Removed |Added CC||bda...@wikimedia.org --- Comment #2 from Bryan Davis bda...@wikimedia.org --- This is an occasional problem with file permissions on the shared NFS directories used for beta's image uploads: deployment-bastion:~ bd808$ ls -ld /data/project/upload7/wikipedia/en/thumb/6/6e/Paragon_2725918194_4227b11610.jpg drwx-- 2 pybal-check apache 4096 Nov 6 23:54 /data/project/upload7/wikipedia/en/thumb/6/6e/Paragon_2725918194_4227b11610.jpg/ This seems to be caused in part by mismatched user ids across the beta cluster: * deployment-bastion: uid=48(apache) gid=48(apache) groups=48(apache) * deployment-bastion: uid=997(pybal-check) gid=52067(pybal-check) groups=52067(pybal-check) * deployment-mediawiki01: uid=997(apache) gid=48(apache) groups=48(apache) * deployment-mediawiki02: uid=997(apache) gid=48(apache) groups=48(apache) It also looks like the umask is not set well in some path that handles actually creating new directory paths. The best long term fix for this is to setup a Swift cluster in beta (bug 62835). The short term hack is to chmod/chown the files under /data/project/upload7. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 73102] An inserted image gives 403 Forbidden
https://bugzilla.wikimedia.org/show_bug.cgi?id=73102 Bryan Davis bda...@wikimedia.org changed: What|Removed |Added Priority|Unprioritized |Normal Status|NEW |RESOLVED Resolution|--- |FIXED Assignee|wikibugs-l@lists.wikimedia. |bda...@wikimedia.org |org | --- Comment #3 from Bryan Davis bda...@wikimedia.org --- Ran `chmod -R =rwX /data/project/upload7` to fix all file permissions. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 73102] An inserted image gives 403 Forbidden
https://bugzilla.wikimedia.org/show_bug.cgi?id=73102 Marc A. Pelletier m...@uberbox.org changed: What|Removed |Added CC||m...@uberbox.org --- Comment #4 from Marc A. Pelletier m...@uberbox.org --- Be aware that doing so has given write permission to any authenticated user. This may not be a catastrophe in practice, but it has security impact. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 73102] An inserted image gives 403 Forbidden
https://bugzilla.wikimedia.org/show_bug.cgi?id=73102 --- Comment #5 from Bryan Davis bda...@wikimedia.org --- (In reply to Marc A. Pelletier from comment #4) Be aware that doing so has given write permission to any authenticated user. This may not be a catastrophe in practice, but it has security impact. This has been the fix for this particular issue as long as I've been helping in beta. I agree that chmod 0777 is a lame solution, but the uid/gid mismatches and NFS4 acls are a bit of a blocker to proper management of the shared file permissions. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 73102] An inserted image gives 403 Forbidden
https://bugzilla.wikimedia.org/show_bug.cgi?id=73102 --- Comment #6 from Marc A. Pelletier m...@uberbox.org --- NFSv4 doesn't actually require UID concordance so long as the user /name/ exists on the NFS server do that it doesn't fall back to numerical IDs - the proper solution to this is to make certain that any user or group that owns files in the shared filesystem exist on the NFS servers. In the general Labs case, this is done through LDAP - but users and groups coming from Debian packages need to either be added (before installation) to LDAP or added to the NFS servers. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 73102] An inserted image gives 403 Forbidden
https://bugzilla.wikimedia.org/show_bug.cgi?id=73102 --- Comment #7 from Bryan Davis bda...@wikimedia.org --- (In reply to Marc A. Pelletier from comment #6) NFSv4 doesn't actually require UID concordance so long as the user /name/ exists on the NFS server do that it doesn't fall back to numerical IDs - the proper solution to this is to make certain that any user or group that owns files in the shared filesystem exist on the NFS servers. In the general Labs case, this is done through LDAP - but users and groups coming from Debian packages need to either be added (before installation) to LDAP or added to the NFS servers. Bug 73206 opened to track this issue. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 73102] An inserted image gives 403 Forbidden
https://bugzilla.wikimedia.org/show_bug.cgi?id=73102 Andre Klapper aklap...@wikimedia.org changed: What|Removed |Added CC||benap...@gmail.com, ||cmcma...@wikimedia.org, ||g...@wikimedia.org, ||has...@free.fr, ||platoni...@gmail.com, ||s...@reedyboy.net, ||t...@tim-landscheidt.de Component|General/Unknown |deployment-prep (beta) Product|MediaWiki |Wikimedia Labs --- Comment #1 from Andre Klapper aklap...@wikimedia.org --- http://en.wikipedia.beta.wmflabs.org/wiki/File:Paragon_2725918194_4227b11610.jpg Size of this preview links also trigger 403s Not an issue in the MediaWiki codebase but server stuff, hence moving to Wikimedia Labs deployment-prep (beta) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l