Last modified: 2014-09-26 17:12:53 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T66936, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 64936 - Running a PHP script from command line without sudoing to www-data messes up file permissions
Running a PHP script from command line without sudoing to www-data messes up ...
Status: RESOLVED FIXED
Product: MediaWiki-Vagrant
Classification: Unclassified
General (Other open bugs)
unspecified
All All
: Unprioritized normal
: ---
Assigned To: Ori Livneh
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-06 01:09 UTC by Tisza Gergő
Modified: 2014-09-26 17:12 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Tisza Gergő 2014-05-06 01:09:29 UTC 
Web uploads create files and directories in /srv/images with owner www-data:www-data; job queue uploads do it with vagrant:vagrant. This results in all kinds of errors when using the GWToolset role.
Comment 1 Tisza Gergő 2014-05-06 18:11:06 UTC 
This could be handled by creating a group that contains both the www-data and vagrant users, chowning everything under /srv/images to that group, setting everything g+w, setting setgid for all directories, and set a permissive umask. (Not sure how to do the last part, [[mw:Manual:$wgDirectoryMode]] defaults to 777, and vagrant does use that, but www-data does not. Maybe just calling umask() somewhere in the config would do the trick.)
Comment 2 Bryan Davis 2014-05-06 19:08:03 UTC 
(In reply to Tisza Gergő from comment #0)
> job queue uploads do it with vagrant:vagrant

What's causing the job queue to run as the vagrant user? Is there a cron somewhere that just needs to have it's user setting adjusted?
Comment 3 Tisza Gergő 2014-05-06 19:29:12 UTC 
Now that you say it, that might have been me when I was trying to debug a failing job. Does vagrant even process the job queue? I can't find anything to that effect.

So basically the solution is to make sure I sudo -u www-data every time I run a PHP script that creates files? That does not feel developer-friendly.
Comment 4 Tisza Gergő 2014-05-06 20:48:16 UTC 
Indeed, I ran the script with the wrong permissions, so the bug in its original form is invalid. I still think there should be some sort of warning or workaround so that running a script from the command line does not mess up the permissions, but I have no idea how that could be done (unless we mess around with ACLs).
Comment 5 Erik Bernhardson 2014-05-06 20:50:41 UTC 
i wonder if this whole thing could be simplified by running web as the vagrant user?  Its insecure, but as a development machine I'm ok with that.
Comment 6 Bryan Davis 2014-05-06 21:59:06 UTC 
This is not a unique problem for the MediaWiki-Vagrant environment. On the production cluster we use a wrapper script (mwscript) in part to ensure that scripts end up being run as the same user as Apache. I think it would be great to provide an equivalent to `mwscript` and document that it should be used. Alternately we could alias php to 'sudo -u www-data -n -- php "$@"' in the .bashrc for the 'vagrant' user.
Comment 7 Bryan Davis 2014-09-26 17:12:53 UTC 
Since https://gerrit.wikimedia.org/r/#/c/149872/ the wmscript wrapper is needed to run maintence scripts and it forces `sudo -u www-data`. It is still possible to mess up file permissions, but it should be much less likely to occur now.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links