move wiki to non-root user

[ppelleti]

Currently, the wiki is running as root. Would be nice if it was not.

[ppelleti]

I'm not sure that the wiki is running as root after all. When I enabled logging, it wrote its logfile as the www-data user and group:

root@www:/var/log/mediawiki# ls -lh debug.log 
-rw-r--r-- 1 www-data www-data 2.5M Nov  3 00:07 debug.log

So that I think at least the MediaWiki front-end (which is presumably running as part of the web server process) is running as www-data. However, I believe there is also a database and a memcached, and I don't know what users those are running as. Ideally, they would each be running as their own user, for maximum isolation.

Looking in /etc/passwd, there is a memcache user, so presumably that is what memcached is running as. Not sure about the database, though; I'll need to look into that further.

[ppelleti]

The database is MySQL, and it's running on a separate server, mysql01.haskell.org. So it's even more isolated than having a separate user.

@gbaz, based on this information, what do you want done?

[gbaz]

So I guess the question that motivated this was -- it seemed that one needed root perms to edit wiki files, etc. If we just created a user that was non-root and had perms specific to wiki files, so that wiki admining could be done without root, I think that would resolve it...

[ppelleti]

OK, that should be fairly straightforward, up to a certain point. The wiki's config files are world-readable, so they could be owned by any old user and the wiki would still work. So, we could create a user wikiadmin to own the config files and other files that might need to be modified. Then someone could log on as wikiadmin and administer the wiki, provided that we correctly identified all the files they might need to change.

Identifying all the files that might be needed could be tricky. For example, to fix the diff bug, am I going to need access to /usr/lib/php5/20121212/wikidiff2.so? Not sure. So I think we could easily get to the point where a lesser-privileged user could perform many wiki administration tasks, but there would still be a need for a root user to assist from time to time.

If that's acceptable, then I can move forward with it.

If you want administration of the wiki to be completely self-sufficient, then I think the only way to ensure that would be to have the wiki on its own virtual machine. If that's not possible (e. g. the hosting provider would charge more for another virtual machine), then it could still be done by using a solution like Docker to create multiple virtual environments, each with its own root user, inside a single virtual machine. This would be considerably more involved that just creating a wikiadmin user, though.

[gbaz]

the 90% plan sounds plenty good to me. just cutting down root logins is a worthy goal on its own.

[ppelleti]

OK, I'll get to work on that.

[ppelleti]

This has been going well. One issue I ran into: /home/web/wikidata/wikistatic and all the files and directories under it are owned by the platform-site user. Do you know the history behind this, and is it important to keep these files owned by platform-site, or can I change them to wikiadmin?

[gbaz]

iirc, platform-site is the specific sftp-only user created for the platform subsite. I suspect its totally fine to change the ownership.

[ppelleti]

Also, some of the other files and directories under /home/web/wikidata are owned by a user named ubuntu. Same question goes for them.

[gbaz]

vis a vis ubuntu i have no idea -- i think that's a result of installing the ubuntu package. But again, if nothing breaks on the frontend by moving this, I can't imagine its important...

[ppelleti]

I have finished this task. The wiki appears to still work. The file /home/wikiadmin/files-owned-by-wikiadmin.txt lists the files and directories I changed the ownership of.

I copied root's authorized_keys to wikiadmin, so anyone who could log in as root can now also log in as wikiadmin. (Logging in using a password is not allowed for wikiadmin; an ssh key must be used.)