You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

LocalisationUpdate/Proposed permissions setup

From Wikitech-static
Jump to navigation Jump to search

THIS IS AN OUT OF DATE PROPOSAL. It has been implemented with some changes. See LocalisationUpdate for current documentation.

Summary of changes

  • Create a new user for LU that only pushes out LU cache files
    • This user owns the LU cache file directory
    • This user has a passphraseless SSH key in its ~/.ssh on fenari so it can dsh to the Apaches
    • Allow this user to run the LU update script as apache via sudo
  • Run the cron job as this user too
  • Allow wikidev users to sudo to the LU user
  • Change the l10nupdate and sync-l10nupdate scripts to sudo themselves to the LU user so wikidevs can run them safely

File changes

/home/wikipedia/bin/sync-l10nupdate

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
sudo -u luUser /home/wikipedia/bin/sync-l10nupdate-1

/home/wikipedia/bin/sync-l10nupdate-1

Would be the current contents of sync-l10nupdate, sans the sudo -u mwdeploy bit in the rsync command.

/home/wikipedia/bin/l10nupdate

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
sudo -u luUser /home/wikipedia/bin/l10nupdate-1

/home/wikipedia/bin/l10nupdate-1

Would be the current contents of l10nupdate except that it would

  • run extensions/LocalisationUpdate/update.php as apache through sudo and a wrapper shell script (l10nupdate-2)
  • same for maintenance/wmf/clearMessageBlobs.php
  • call sync-l10nupdate-1 directly

/home/wikipedia/bin/l10nupdate-2

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
/home/wikipedia/bin/mwscript extensions/LocalisationUpdate/update.php "$@"

/home/wikipedia/bin/l10nupdate-3

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
/home/wikipedia/bin/mwscript maintenance/wmf/clearMessageBlobs.php "$@"

fenari:/etc/sudoers

  • Add luUser ALL = (apache) NOPASSWD: /home/wikipedia/bin/l10nupdate-2 /home/wikipedia/bin/l10nupdate-3
  • Allow ADMINS to run anything as luUser by adding to the user list on line 36

fenari:/etc/cron.d/l10nupdate

  • Change user to luUser instead of catrope
  • Change command to l10nupdate-1

fenari:/var/log/l10nupdate

  • Make this owned by the LU user instead
  • TODO: We'll probably also want to have multiple log files here some day, rather than just logging the last run. Needs proper log rotation and such too