[00:12:00] Heh, fair [01:41:00] @pixldev if you wanna put some loadout stuff on here go for it: https://enloadouttest.mirabeta.org/wiki/Main_Page [01:43:19] chat we cook [01:45:40] @originalauthority so everything on this wiki will be loaded out [01:45:48] for test yes [01:46:10] doesn't matter about how many revisions as the history will be overwritten with a system usefr [03:18:29] why the fuck is it defaulting to greek lol [06:51:11] I think I have over 100 I am listed in lol [07:04:06] does miraalpha exist i wonder [07:51:49] Would be fun if there are more into the iceberg [07:52:43] Shall we proceed with the review if I assume that you are avaliable? :pupCoffeeMH: [07:53:07] I will get it done today [07:59:58] ugh why did i secure my mirabeta account with 2fa [08:53:43] ah yes 2fa [08:54:18] btw, https://enloadouttest.mirabeta.org/wiki/Talk:Main_Page#BlankEclair:_Request_for_bureaucrat [08:54:57] [1/2] help it's all greek [08:54:57] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1274652749379797085/W1HwoZz.png?ex=66c30861&is=66c1b6e1&hm=1ec6f8e93ca17aedacb3883cd4995a7165999a7e4d920e8abd829c2b7d550058& [08:55:25] oops all greek [10:00:17] anyone that knows puppet have any comments about the mess I've made here https://github.com/miraheze/puppet/pull/3897 ? [10:00:49] Basically we need a quick and easy solution (since we don't have anyone who is able to spend more time on something complex) to allow certain users to deploy on beta without having access to PII [10:23:01] cc @rhinosf1 [10:32:54] @reception123 left some comments [10:35:58] Thanks! in terms of "shouldn't be able to edit or remove files on /srv/mediawiki/*" how would they do that without the /bin/nano permission? [10:36:10] since they wouldn't have full www-data like other groups in order to prevent them from accessing anything with PII [10:37:17] I meant that they shouldn't be able to do that _directly_ I mean [10:37:36] what user does mwdeploy run as? or does it escalate as someone else [10:37:49] they should edit staging, then use mwdeploy to deploy their change to mediawiki since that way there's a log [10:38:18] also, keep in mind that nano lets users run arbitrary commands by default [10:38:54] ah right yeah that makes sense [10:39:01] oh, like what? [10:39:02] BlankEclair: mwdeploy runs as your own user, however it runs multiple commands, like git and rsync, as the www-data user by sudo'ing [10:39:23] reception123: nano + Ctrl+R + Ctrl+X [10:42:58] either way everything will first be tested to make sure there aren't any workarounds [10:43:12] there's sudoedit btw [10:43:39] copies the file into a path where the regular user can edit, opens the editor as the user, and copies the file back [10:44:15] you may also be interested in rnano [10:45:24] example of shell execution in nano: https://files.catbox.moe/03ntcn.mp4 [10:45:28] there's also a file browser too [10:48:41] I have heard of that but does that mean that even without sudo permissions someone could use sudo -u www-data nano /home/user/file.sh and then sudo to wherever they want? [10:48:51] to run anything as www-data yes [10:49:03] (assuming they can run nano as www-data) [10:49:31] ah, I didn't think of that. I knew it was a thing but I thought that was only if you already had access to www-data ALL and wanted to restrict one specific command (I tried that once) [10:49:35] in that case `rnano` it is! [10:49:45] i guess that works lol [10:49:56] i prefer sudoedit because i can have personal settings for nano [10:50:20] oh I mean I don't really know what the difference is [10:50:24] if sudoedit has the same result then sure [10:50:37] sudoedit runs the editor as the same user [10:50:54] but copies the file off to temporary storage so you can still edit files that the user can't [10:52:02] https://man.archlinux.org/man/sudoers.5#Secure_editing [10:52:06] ah, that sounds good then [10:52:43] just tried it out [10:54:40] anything else wrong with my awful PR? 😄 [10:59:01] https://github.com/miraheze/puppet/pull/3897/files#diff-a5398b638be58ccbd6e424b4aef666489861be78a3cecf4c4d6103c5be871e8eR76 [10:59:25] i wonder, rsync --rsh=/bin/sh awawa:/tmp/example .? [10:59:49] (probably needs reworking, but possible method to execute an arbitrary executable as an escalated user) [10:59:57] and uh [10:59:58] I guess we'll have to test that out [11:00:13] i just realized, is that meant to allow to escalate to anyone? [11:12:34] > [18/08/2024 20:59] I guess we'll have to test that out [11:12:42] i mean, i can write that line in my local sudoers [11:13:39] "you will not regret editing /etc/sudoers with a text editor" [11:15:20] i just realized... all of these sudoers entries are NOPASSWD? [11:15:37] Wrong wiki love [11:15:46] which message [11:15:49] That’s the loadout wiki [11:15:54] RfB [11:16:04] ? [11:16:18] i basically just need any new wiki to mess with [11:16:22] Unless im confused [11:17:09] Oh needs to be a new wiki? [11:17:24] dunno if needs [11:17:28] but i wanna try on a new one [11:17:29] Can’t be https://test.mirabeta.org/wiki/Main_Page? [11:17:43] i have no idea how to debug this [11:18:02] unless if you want me to tear through mediawiki source code in production, and even i admit that that's not a good solution [11:18:33] Impressive I mean uh yeah def [11:19:33] Actually [11:20:33] @reception123 since I already needed it for testing can you grant me crate on metabeta so I can give myself wiki creator and also go ahead and approve a new wiki for Claire to shoot her task [11:21:06] o good idea [11:23:18] Reception123: you can privilege escalate through rsync: https://files.catbox.moe/4d1koa.png [11:23:58] ugh headaches suck [11:31:25] i should make comments on the actual pr itself [11:31:27] proper documentation [11:38:30] BlankEclair: hmm [11:38:33] any idea how we can avoid that? [11:38:42] btw you can delete arbitrary files with rm as www-data [11:38:48] commented a poc on the pr [11:38:55] if I remember my password heh [11:39:27] as for avoidance... i have a headache rn so i can't brainstorm, but you might need to separate this thing out into a daemon and client-esque thing [11:39:54] or at least a binary that can invoke another binary that will do only one set thing [11:41:17] there's never an easy thing when it comes to permissions eh? [11:41:27] heh [11:41:40] sudo's built-in argument checking is too simplistic for this [11:42:30] ugh... should i sleep this headache off? [11:42:35] i have unfinished schoolwork though [11:45:00] well if you have a headache I'd probably not try to figure out complicated coding :D [11:46:14] i... guess [11:46:26] but like, i'm kinda banking on it to pass within a few minutes [11:46:30] so i can get to work [11:46:35] but jesus christ does it hurt [11:51:36] @rhinosf1 is there any reason why we couldn't instead require www-data to run mwdeploy? and then we don't need to worry about the rsync stuff that BlankEclair mentions? [11:53:31] mwdeploy runs rsync as www-data [11:54:18] RhinosF1: we're planning to allow some server access to non-nda people [11:54:28] (beta only of course) [11:54:35] (yeah that) [11:54:43] here's the pr: https://github.com/miraheze/puppet/pull/3897 [11:55:05] if we allow the user to run rsync, then they can priv escalate using rsync's ssh feature [11:55:48] beta can't be non nda yet [11:56:03] oh? [11:56:07] well the idea is to only allow deploy and that's it [11:56:13] Not database [11:56:14] no maintenance scripts nothing else [11:56:16] It shares memcache access [11:56:33] If you can access memcache, you can access prod private data [11:56:37] actually [11:56:41] well there wouldn't be any memcached access either [11:56:42] Someone remind me what memache is and why my phone autocorreceted to men ache [11:56:47] if you can write arbitrary code, what's stopping you from doing anything as www-data? [11:56:53] there would be no access at all except using mwdeploy and accessing /srv/mediawiki [11:57:00] Hm… [11:57:04] That's enough for a leak [11:57:16] I -1 this from a security point [11:57:21] Can we have a task [11:57:24] _hates sudo permissions_ [11:57:25] there is actually [11:57:26] there is one [11:57:35] the task is the more advanced version though (https://issue-tracker.miraheze.org/T12486) [11:57:36] But ye reception is wrong on that PR [11:57:46] https://issue-tracker.miraheze.org/T12486 [11:57:49] You don't need root rsync to deploy [11:57:57] it runs as www-data [11:58:01] It runs as www-data [11:58:01] but still, can run anything as www-data [11:58:26] Well if beta was actually isolated you could have non NDA [11:58:28] It isn't [11:58:56] Beta doesn't share CentralAuth [11:59:01] It uses another db [11:59:48] https://issue-tracker.miraheze.org/T12486#249589 [11:59:56] I will do it by Wednesday [12:01:14] Going to back to seeing family now [12:01:47] You do it right and beta users can just be mw-admins on one server [12:01:59] yeah, that'd be the best impl [12:02:06] i was wondering why we weren't trying to do that [12:02:44] In that case we could probably just go back to my original idea and allow full www-data on beta once we isolate everything [12:02:55] but then there would have to be disclaimers on the wiki and a slightly modified privacy policy [12:09:42] Or abolish privacy policy [12:09:56] probably not a good idea [12:10:27] [1/2] == Privacy Policy == [12:10:27] [2/2] 1. There is no privacy. [12:10:59] On beta [12:11:42] By viewing this page, we have already sent malware to your computer. Good luck. [12:11:48] /s [12:11:59] I know it was probably a half-joke but we couldn't do that due to GDPR requirements and all that. The most that could be done is warn people not to use emails or that if they do that will be considered public [12:12:01] I think WMF may do that [12:24:31] imagine installing talk(1) on miraheze servers [12:25:21] Who you gonna talk to [12:25:44] any possible sysadmin who is also logged in [12:27:41] [1/2] I'd be talking to myself then lol [12:27:42] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1274706286314782815/image.png?ex=66c33a3d&is=66c1e8bd&hm=27d2b5d2f7f70337632387eba03d5f5056d75381633b87dc1e1775be2203c6bc& [12:29:08] [1/2] INCOMING CONNECTION FROM blankeclair: [12:29:08] [2/2] Hey how’s the kids [12:29:20] LMFAO [12:29:39] we have wall(1) for one-off messages [12:30:26] Noted [12:30:32] Is it async? [12:31:01] why am i thinking of async code [12:31:09] it emits your message in all ttys [12:32:12] I mean same concept [12:32:27] ig yeah [12:33:05] Morning chochy milk mmmmm [12:33:09] anyway i'm gonna get reayd for bed [12:33:16] god damn it i want chochy milk now [12:33:17] Lmao [12:33:41] I’ll ship you some Nescau [12:35:53] @reception123 can you kick CI on my pr [12:38:36] you know, i can't believe that i haven't had chochy milk in over a year [12:38:54] False [12:38:55] No way [12:38:59] Screw that [12:39:34] anyway, i'm gonna go to bed with a brand new craving now [12:39:40] nini [12:40:43] Nini [12:40:51] Also wow your sleeping at a normal time [12:45:26] We can [12:45:31] As long as users are fully aware [12:45:40] I'm going to do a privacy and security assessment [12:45:49] And show you how to do zero privacy under GDPR [12:46:17] I use the GDPR to not GDPR [12:47:09] It is perfect acceptable to have a policy that says you accept all risks [12:47:22] But you should have a policy says that [12:47:27] It's called ISO 9001 [12:50:36] Btw rhinos do you have access on createwiki’s repo [12:54:23] Yes [12:54:25] Why [12:55:35] Can you run CI on PR 546 pwease [13:01:50] Done [13:03:21] Yaaaay [13:05:16] Code rabbit has no idea what this PR does [13:05:26] > allowing users to specify if a wiki page should be locked during creation. [13:05:27] Expected [13:08:38] Stupid AI [13:08:46] I read a nice paper on AI the other day [13:09:05] Oh? [13:09:17] Tbf I didn’t explain in pr and just added the button [13:09:24] Also Phan complained [13:09:27] As normal [13:10:05] Ask me tomorrow [13:10:09] K [13:10:10] It's on my work laptop [13:10:27] It's public so I can share but it was on slack [13:10:28] Let me try and fix the syntax error and see if that is causing the other issues [13:15:48] I'm going back to family again now [13:15:59] Even though you lot are more intresting [13:16:52] LMAO [13:17:34] Also updated syntax maybe so if anyone wants to press button again go ahead [13:18:43] It's going [13:21:52] Do we even need CodeRabbit reviews? Phan seems more effective [13:22:29] I like seeing how stupid it is [13:22:48] Lmao [13:23:14] I mean, looks back at discord moderator appeals same [13:25:30] Could prob run CI at the same time though [13:30:46] Today i learned that MediaWiki doesn't follow PSR-12 guidelines rip 🥲 [15:03:10] I set CI off [15:03:14] Forgot that button [15:03:17] I'm back now [15:14:07] @reception123 my only issue with privacy and data is we probably should limit how long we keep data further [15:14:31] And no required special category data [15:14:51] CheckUser is probably the biggest struggle [15:15:06] But we could probably limit retention to like 1 hour [15:15:55] Or not at all on most beta wikis [15:16:02] It's limited registration [15:17:29] Yeah we can keep data for even 1 second for CU on beta tbh [15:17:47] But yeah it would be limited registration anyway [15:25:18] We could have a CU wiki [15:25:33] But I don't think on by default is a good idea [15:25:59] But I think memcache is the main blocker [15:26:08] I think beta has its own redis [15:26:30] It has its own databases, not sure if we leak the prod password anywhere [15:26:41] Or if you can access prod dbs from beta [15:26:47] Its own db server would be nicer [16:38:59] Yeah, CA mentioned a separate db [16:39:05] So that's indeed probably best [16:40:00]