Last modified: 2014-05-27 22:14:31 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T67548, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 65548 - Users with primary group of 550(svn) cannot sudo as mwdeploy on deployment-bastion


Summary:	Users with primary group of 550(svn) cannot sudo as mwdeploy on deployment-ba...

Status:	RESOLVED FIXED

Product:	Wikimedia Labs
Classification:	Unclassified
Component:	deployment-prep (beta) (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Unprioritized normal
Target Milestone:	---
Assigned To:	Bryan Davis

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-05-20 19:51 UTC by Aude
Modified:	2014-05-27 22:14 UTC (History)
CC List:	8 users (show)

See Also:	63028
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Aude 2014-05-20 19:51:20 UTC

I used to be able to sudo as mwdeploy but now can't.

I am in the 'svn' group.

sudo -u mwdeploy -- touch extensions/Wikidata/extensions/Wikibase/lib/resources/wikibase.utilities/wikibase.utilities.GuidGenerator.js
[sudo] password for aude: 
Sorry, user aude is not allowed to execute '/usr/bin/touch extensions/Wikidata/extensions/Wikibase/lib/resources/wikibase.utilities/wikibase.utilities.GuidGenerator.js' as mwdeploy on deployment-bastion.eqiad.wmflabs.

Comment 1 Gerrit Notification Bot 2014-05-20 21:14:35 UTC

Change 134491 had a related patch set uploaded by BryanDavis:
Labs: Add deployment related sudoer rules for svn group

https://gerrit.wikimedia.org/r/134491

Comment 2 Daniel Zahn 2014-05-20 21:19:17 UTC

Does this mean the users should be converted like in:

https://bugzilla.wikimedia.org/show_bug.cgi?id=64596

(instead of working around it)?

Comment 3 Bryan Davis 2014-05-21 01:09:01 UTC

(In reply to Daniel Zahn from comment #2)
> Does this mean the users should be converted like in:
> 
> https://bugzilla.wikimedia.org/show_bug.cgi?id=64596
> 
> (instead of working around it)?

I think it's related but slightly different. The problem here is actually https://bugzilla.wikimedia.org/show_bug.cgi?id=63028. Aude, hashar and apparently about 400 other users have a primary gid of 550(svn) instead of 500(wikidev). This wouldn't be too big of a deal if they were also members of the 500(wikidev) group, but they are not.

I think the best fix for this would be to update all users that have 550(svn) as their primary group to have 500(wikidev) as their primary group.

Following that one of two things should happen, either all files owned by group 550(svn) should be changed to 500(wikidev) across all of labs, or probably more rationally all users in the 500(wikidev) group should be added to the 550(svn) as a secondary group. If the later action is taken the script that creates new users in ldap should also be updated to add all future users to the 550(svn) group as a secondary group.

Comment 4 Gerrit Notification Bot 2014-05-21 15:04:46 UTC

Change 134491 merged by Dzahn:
Labs: Add deployment related sudoer rules for svn group

https://gerrit.wikimedia.org/r/134491

Comment 5 Gerrit Notification Bot 2014-05-27 20:08:05 UTC

Change 135622 had a related patch set uploaded by BryanDavis:
Revert "Labs: Add deployment related sudoer rules for svn group"

https://gerrit.wikimedia.org/r/135622

Comment 6 Gerrit Notification Bot 2014-05-27 22:12:12 UTC

Change 135622 merged by Dzahn:
Revert "Labs: Add deployment related sudoer rules for svn group"

https://gerrit.wikimedia.org/r/135622

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links