[00:42:01] <CZauX>	 I'm looking for suggestions on permissions setup for Nginx/Apache and PHP-FPM. I have one user, www-data, for the web server, and another user we'll call 'fpmuser'. I want to limit the webserver to only read on files, read and execute on directories. fpmuser needs to have read and write on files, and read, write, execute on directories. But, the catch is I can't seem to make ACL's automatically apply permissions if I were to create a new file over 
[00:42:01] <CZauX>	 SSH/move a file
[00:42:01] <CZauX>	 So far I have ACL's working fine, just that I want that web directory, and anything in it, to be of the permissions I require.
[00:42:01] <CZauX>	 Or else I have to do a sudo find /var/www/mysite/public_html -type f -exec chmod 660 {} \; every time I add more files, and sometimes change the owners
[00:42:02] <Dereckson>	 CZauX: what are you trying to achieve separating web and PHP users?
[00:42:03] <CZauX>	 multi-site security
[00:42:03] <CZauX>	 exploit in mediawiki doesn't bring down a wordpress site, for instance
[00:42:03] <Dereckson>	 So yes, to create one php-fpm pool per site, each with an user is a good idea.
[00:42:46] <Dereckson>	 You can chown the web folders to their users, and rely on chmod group/world readable for webserver access for static files not served by php-fpm.
[00:43:29] <Dereckson>	 On UNIX systems, new files created in a directory will take the group of the directory by the way.
[00:44:20] <Dereckson>	 e.g. /foo is alpha:beta, /foo/quux created by alpha or anyone else will receive creator:beta as user:group
[00:44:30] <CZauX>	 What about a directory in a directory?
[00:44:56] <Dereckson>	 same as far as the group is concerned: <current user>:<group of the parent dir>
[00:46:10] <CZauX>	 What about the actual permission level, though? I'l have more specifics in a bit, but it seems to be that if I were to create a file, I have to chmod it
[00:48:06] <Dereckson>	 they will follow umask, by default 022, so they will be created in 644
[00:48:26] <CZauX>	 Is there a way to require a umask on a directory and all its children?
[00:48:41] <CZauX>	 So, if I were to create a file or directory, it would inherit that umask
[00:48:47] <Dereckson>	 You can't associate directly in the filesystem an umask with a directory, no.
[00:50:53] <CZauX>	 ACL's If I remember correctly can't override the native permission. If its 644, then you can't have a default of 674. How do sysops typically get aroudn that?
[00:51:09] <CZauX>	 As in, unpacking an archive of stuff into a directory over Filezilla.
[00:51:13] <CZauX>	 Can't chmod in that case
[00:51:40] <Dereckson>	 If you wish to customize how files are handled, there are several storage backends available and you can even write yours, with custom chmod instructions.
[00:52:00] <Dereckson>	 But if files aren't sensitive, 755 folders and 644 files are fine
[00:53:11] <CZauX>	 If a user creates a file, such as over sftp, its owned by that user, and the folders group. But if the default umask is 644, then the group doesn't have write access, which is a problem with mediawiki upgrades
[00:53:13] <Dereckson>	 If files are sensitive, MediaWiki isn't optimized for user ACLs on content, files are accessible through URLs, etc.
[00:53:26] <CZauX>	 or any framework, really
[00:53:36] <Dereckson>	 You can configure the umask in a sftp session.
[00:54:43] <Dereckson>	 for pure ssh shell sessions, it's easier: something like "umask 002" if you wish to use 664/775, but I don't like the idea the web server could write too
[00:55:08] <Dereckson>	 write operations should be restricted to fpmuser
[00:55:11] <CZauX>	 Yes
[00:55:17] <Dereckson>	 that includes MediaWiki upgrade, files management
[00:55:32] <CZauX>	 Do ACL's have any actual performance problems with a webserver over native?
[00:55:33] <Dereckson>	 so if you chown the whole lot to fpmuser, you'll be fine
[00:55:53] <CZauX>	 If I chown to fpmuser, how does www-data have access, then?
[00:56:00] <CZauX>	 unless I give everybody read and execute
[00:56:43] <Dereckson>	 You identify the files the webserver must be read directly, and indeed you configure chmod (group or world) to allow www-data user to access them
[00:57:13] <Dereckson>	 each time the request is handled by php-fpm, it will be run as fpmuser, www-data *don't* need to access to that
[00:59:13] <Dereckson>	 Remember if a file must be served by the webserver, it's a *public* file, so world readable is okay.
[00:59:39] <Dereckson>	 (for static resources like logos)
[00:59:40] <CZauX>	 That is true, but what if you have a directory that has static files and php files?
[01:00:03] <CZauX>	 There are .php files such as LocalSettings.php which I don't want to be public. Thing is, I dont' want to be individually configuring files
[01:00:10] <Dereckson>	 you chmod 700 the .php
[01:00:48] <CZauX>	 But if I add another php file, I'l have to chmod it, which I can't do over sftp.
[01:01:21] <Dereckson>	 Personnaly, on an environment similar to what you describe, I've an autochmod script to do things like `find . -type f -iname "*.php" -print0 | xargs -0 chmod 700`
[01:01:57] <CZauX>	 what is an autochmod script?
[01:02:38] <Dereckson>	 It's the name I gave to the script to fix chmod in a folder in shared environment, where PHP should be 700 and not world readable.
[01:08:08] <CZauX>	 When does that run?
[06:51:18] <kiwi_0x010H>	 !btinfo #wikipedia-en
[06:59:15] <susjdjd>	 !btinfo #wikipedia-en-unblock
[07:06:25] <eir_is_love>	 !btinfo #wikimedia-ops
[07:07:25] <hi_jem>	 !btinfo #wikipedia-en-help
[08:27:47] <ctmarco>	 How  i can make mediawiki logo as link to index page
[08:27:48] <ctmarco>	 ?
[08:46:40] <p858snake|L2>	 ctmarco: it should be already, what skin are you using?
[09:13:43] <ctmarco>	 p858snake|L2:  I have another skin not original
[09:13:45] <ctmarco>	 another logo
[09:13:53] <ctmarco>	 I need to make this logo 
[09:14:01] <ctmarco>	 like link to index page
[09:14:31] <ctmarco>	 I have added pic
[09:14:46] <ctmarco>	 But i want make it clicable like a link to index page
[09:23:14] <p858snake|L2>	 which skin? is it a skin you wrote yourself?
[09:26:49] <ctmarco>	 chamelon
[09:27:02] <ctmarco>	 How i can edit and add link to image
[09:27:06] <ctmarco>	 where i can do it?
[09:27:21] <ctmarco>	 To make logo clickable
[09:31:14] <p858snake|L2>	 ctmarco: I recommend filing a bug report, so the skin author can look at your request https://github.com/cmln/chameleon/issues/
[09:33:41] <ctmarco>	 I found where this global is usedd
[09:33:43] <ctmarco>	 noproblem
[09:33:46] <ctmarco>	 all okay (:
[12:13:59] <arseny92>	 jubo2 , it's kinda late to check out 1.27 because (1) not sure how MW handles downgrades database wise on major version change (not the weekly wmf branches containing just a few changes) (even although filesystem-wise you can git checkout the needed branch) , and (2) REL1_28 is about to be branched soon, whereas WMF moves on to 1.29.0-wmf.1 next week if there won't be blockers
[12:14:27] <arseny92>	 mobijubo ^
[12:15:03] <Reedy>	 It doesn't do downgrades
[12:15:15] <Reedy>	 If the database changes have been destructive or otherwise backwards incompatible
[12:16:46] <marktraceur>	 I have a mystery for you all this morning
[12:16:48] <marktraceur>	 https://en.wikipedia.org/wiki/Barry_Zyskind
[12:16:57] <marktraceur>	 Why does this page have a noindex tag on it?
[12:17:43] <marktraceur>	 I have looked at https://www.mediawiki.org/wiki/Manual:Noindex but found nothing
[12:22:44] <arseny92>	 jubo2 , mobijubo , Reedy , yes, and so that's why downgrades aren't recommended in general unless you have a backup of affected tables and also the time to possibly manually fix schema complications . As discussed earlier he has currently an interwiki table without data, as he dropped it having a backup with an earlier schema and slightly different col order....
[12:23:36] <arseny92>	 marktraceur , https://en.wikipedia.org/wiki/Wikipedia:Controlling_search_engine_indexing , some embedded template has noindex magic word in it perhaps?
[12:24:05] <marktraceur>	 arseny92: No, I checked for that, none of the templates listed on the edit page are listed as using __NOINDEX__
[12:24:32] <marktraceur>	 arseny92: And anyway, that probably would be overridden when the editor put __INDEX__ on either end of the page.
[12:24:38] <arseny92>	 Mystery then
[12:24:44] <marktraceur>	 Exactly :)
[12:25:04] <Reedy>	 arseny92: You do realise I've been doing MW development for many years? ;)
[12:26:41] <arseny92>	 Reedy , yes, and?
[12:26:59] <Reedy>	 I don't need telling downgrades aren't reccommended :)
[12:27:30] <arseny92>	 this is mainly for jubo2
[12:27:51] <arseny92>	 see http://develop.consumerium.org/wiki/User:Juboxi/Blog/2016#Monday_2016-10-24
[12:34:27] <marktraceur>	 Huh, https://en.wikipedia.org/w/api.php?action=parse&page=Barry_Zyskind&prop=headhtml doesn't include the noindex
[12:34:31] <marktraceur>	 Must be something else
[13:09:51] <ctmarco>	 Hello everyone
[13:09:58] <ctmarco>	 I need solve simple issue 
[13:10:31] <ctmarco>	 I have problems with logo because my logo isn't clickable and aren't link to homepage by default.
[13:10:41] <ctmarco>	 How i can solve this problem?
[13:11:09] <arseny92>	 instead of asking for help its advised to just ask the question ;)
[13:11:45] <arseny92>	 Site css is in MediaWiki:<sylename>.css
[13:14:53] <arseny92>	 On default skins it already should be clickable and linking to the page specified as int:mainpage . On others this might not be as clear
[15:38:43] <jubo2>	 arseny92: nonono
[15:39:00] <jubo2>	 I restored the interwiki from reference machine MariaDB
[15:39:05] <jubo2>	 all is gut
[15:40:12] <jubo2>	 I even got the Titleblacklist-extension installed and added regex .*порно.* and it stopped me from adding порно to the Consumerium.org development wiki
[15:40:26] <jubo2>	 so proof by denial of service
[15:42:51] <arseny92>	 jubo2 ok. Did you read the versions advice I posted above earlier
[15:42:53] <arseny92>	 ?
[15:44:32] <arseny92>	 It's kinda useless to jump branches if 1.28 is about to be released soon anyway
[15:51:03] <despens_>	 hey, i am looking for help migrating to a new version of mediawiki and wikibase. there is a little money available. any admins here that would like to do it?
[15:51:50] <Reedy>	 despens_: Why do you require paid help? It's not particularly difficult if you've not changed stuff you shouldn't ahve changed :)
[15:52:15] <despens_>	 you summed up my problem pretty well
[15:52:32] <despens_>	 i'm running MW 1.25alpha (9f01c8d) and Wikibase 0.5 alpha (c77cc81)
[15:52:36] <Reedy>	 You've change stuff you shouldn't?
[15:52:56] <despens_>	 i think so.
[15:52:57] <Reedy>	 ;)
[15:53:06] <Reedy>	 Should be easy enough to tell
[15:53:48] <despens_>	 there has also been an issue coming up after the server's hard disk had an issue
[15:54:22] <despens_>	 it ran 0 bytes of free space, after that wikibase has problems rendering pages with a special property in it
[15:54:45] <Reedy>	 That's kinda strange
[15:55:37] <despens_>	 i also required paid help because of other things i need to do. i could figure it out probably but would rather have it set up again by somebody who has done it a few times before. i've only done it once
[15:55:56] <Reedy>	 Most people probably setup wikibase and leave it alone ;)
[15:56:11] <despens_>	 i'm not that kind of person :D
[15:57:12] <despens_>	 if you could help or know somebody who would be interested, please contact me at dragan.espenschied@rhizome.org
[15:57:39] <Reedy>	 Any suggestion of budget?
[15:58:55] <despens_>	 $500
[16:00:01] <despens_>	 (USD)
[16:00:01] <jubo2>	 arseny92: yes
[16:00:24] <jubo2>	 arseny92: Yeah.. I check out 1_28 as soon as it is released
[16:00:55] <jubo2>	 I just need to find out how do I change from the development branch 1_28-alpha to the release branch 1_28, right?
[16:01:21] <jubo2>	 Audio is crash. Reboot is need.
[16:01:48] <jubo2>	 When I get my next laptop I gonna install _so_ clean Kubuntu GNU/Linux
[16:02:12] <jubo2>	 this is dirty hack on dirty hack on dirty hack and the codecs and the whole audio breaks every now and then
[16:02:24] <jubo2>	 a plus tard mes amis
[16:35:43] <kaotikus>	 o/ hi all
[16:38:14] <andre__>	 hi
[19:02:29] <n_battan>	 hi.
[19:02:45] <n_battan>	 how can I request for developer access?
[19:04:31] <Reedy>	 You don't need to
[19:04:59] <Reedy>	 Just create an account on wikitech, and start submitting changes to gerrit
[19:06:44] <n_battan>	 thank you, @Reedy
[19:07:14] <n_battan>	 it is giving an error, "The authentication plugin denied the account creation."
[19:07:34] <Reedy>	 it?
[19:07:43] <n_battan>	 wikitech
[19:08:19] <n_battan>	 I'm trying to make an account on "https://wikitech.wikimedia.org/wiki/Special:CreateAccount"
[19:08:24] <bd808>	 n_battan: I think that error message may mean that the shell account name you picked is already in use. (errors there are hard to understand)
[19:08:54] <n_battan>	 ok, I'll try another shell account name.
[19:09:03] <bd808>	 I can double check the shell name availability for you too
[19:10:14] <n_battan>	 thank you, can you check for n_battan?
[19:10:58] <bd808>	 nothing using it yet. so I guess that's not the problem
[19:11:23] <n_battan>	 now it is showing some proxy problem, I'll try with other internet.
[19:14:10] <bd808>	 n_battan: there is something wrong with account creation. I've gotten a test to fail with the same "The authentication plugin denied the account creation." message.
[19:14:21] <bd808>	 I'll try to find something in the error logs
[19:20:30] <bd808>	 n_battan: it looks like you may have succeeded in creating an account?
[19:20:50] <n_battan>	 bd808: yes, thank you. :)
[19:21:20] <bd808>	 the first couple of wiki usernames you tried matched a spoof filter, which basically means they were very close to existing usernames.
[19:22:36] <n_battan>	 bd808: should I download the source code using my username or it is okay to just download it from "git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git"?
[19:23:00] <Reedy>	 if you clone over HTTPS, you'll need to switch remotes
[19:23:02] <Reedy>	 Otherwise, it's fine
[19:23:46] <n_battan>	 Reedy: ok, thank you.
[19:23:53] <bd808>	 to use ssh for the clone you will need to add an ssh public key in gerrit -- https://gerrit.wikimedia.org/r/#/settings/ssh-keys
[19:29:14] <n_battan>	 should I use the same account that I created on wikitech or create another account on gerrit?
[19:29:59] <andre__>	 n_battan, your wikitech account IS your gerrit account :)
[19:30:14] <n_battan>	 ok.
[19:30:22] <andre__>	 see https://www.mediawiki.org/wiki/Gerrit/Tutorial
[19:30:44] <andre__>	 specifically, https://www.mediawiki.org/wiki/Gerrit/Tutorial#Add_SSH_key_to_your_Gerrit_account
[19:51:11] <arseny92>	 [22:14] <bd808> n_battan: there is something wrong with account creation. I've gotten a test to fail with the same "The authentication plugin denied the account creation." message.
[19:51:12] <arseny92>	 [22:14] <bd808> I'll try to find something in the error logs
[19:51:49] <arseny92>	 the same page has note on how users with prior SVN accounts should to proceed
[19:52:48] <arseny92>	 although thats not the problem if he already created the account
[19:54:48] <bd808>	 arseny92: the problem was nothing like that.
[19:55:24] <bd808>	 and from the conversation context I was pretty sure that this user was not returning after 4.5 years of being away
[19:57:02] <bd808>	 help is appreciated, but wild speculation is not very helpful
[19:59:06] <bd808>	 there were 2 different problems: names being marked by the anit-spoof filters and shell names that were too long or had bad characters in them. Both are handled by hooks and not proper authmanager providers. That leads to the nearly useless error message.
[19:59:59] <bd808>	 I'd file a bug about that, but then I'd have to fix it and I'd rather keep working towards killing off the use of wikitech + ldapauth to create LDAP accounts.
[20:00:09] <n_battan>	 bd808: I guess there is not any problem with the account creation. I created an account a few months ago but I don't remember its password and username so I was trying to make another one and my name was similar to the previous one. So I guess that's why it was not letting me creating the account.
[20:01:26] <bd808>	 n_battan: that makes some sense. My long term goal is to hook the LDAP accounts (the shell name part) to normal Wikimedia unified accounts. That should help people who are already active on a project wiki a bit.
[20:02:29] <bd808>	 n_battan: thanks for your report though. I now have a better idea of what to look for when people see that error message.
[20:02:49] <n_battan>	 bd808: :)
[20:03:14] <n_battan>	 and there was one more error that there can be only 6 accounts created in one day from one IP
[20:03:23] <n_battan>	 so I tried my mobile data to create an account.
[20:04:08] <bd808>	 the account creation throttle. its kind of useful but pretty annoying when you hit it
[20:04:17] <n_battan>	 yeah
[20:05:15] <bd808>	 the other way around that is to get an admin to create the account for you. That's not very convenient unless you are at an editathon or hackathon with some admins around though
[20:06:46] <n_battan>	 I guess the normal way is alright, because it tells what is the problem that is occurring.
[20:18:39] <Platonides>	 3
[20:24:31] <alex1a>	 anyone have debian jessie 8 ? i want to install "mathoid" and did not know how the best way to install it.
[20:24:32] <alex1a>	 https://www.mediawiki.org/wiki/Mathoid#Mathoid_setup, say that "Using node.js from repository did not work"
[20:27:25] <alex1a>	 should i follow the NPM package way ?
[20:33:46] <Platonides>	 perhaps there's a jessie-backports nodejs that works? :/
[20:49:01] <arseny92>	 bd808 > "is to hook the LDAP accounts (the shell name part) to normal Wikimedia unified accounts." > so is that what you are doing on toolsadmin.wikimedia.org? ;)
[20:49:34] <bd808>	 arseny92: that's one part, yeah
[20:50:30] <arseny92>	 connecting ldap to centralauth and phab
[20:50:35] <bd808>	 things get kind of vague the further you get from tool labs at the moment.
[20:51:10] <bd808>	 the phab thing is just for tool labs so that the admin console can setup perms on diffusion repos really
[20:51:38] <bd808>	 but there is a plan to add a wikimedia account name to our LDAP records
[20:52:20] <bd808>	 then we "only" need to make it easy to create those associations for all existing accounts and make a new way to create new accounts
[20:52:37] <bd808>	 its quite a way off so the plans are pretty vague
[20:53:32] <bd808>	 I do have account creation in toolsadmin working on a demo server and in code review
[20:54:44] <arseny92>	 well thats already partly done if the accounts are interconnected with each other (on toolsadmin you log in with ldap and connect sul, which is in turn connected to phab, and on phab you have both auth providers connected)
[20:55:37] <bd808>	 *nod* that connection is local to toolsadmin's database for now, but I've been talking to folks about moving the data storage to LDAP proper
[20:55:46] <bd808>	 which would make it easier for other things to use it
[21:01:46] <Platonides>	 I'd also consider the option of not making them interchangeable
[21:02:46] <Platonides>	 so a compromise to the wiki account doesn't automatically allow accessing to everything available to the ldap one
[21:59:15] <CZauX>	 Anyone know of a desktop tool to deploy servers that has a GUI? Such as being able to make a puppet, chef or ansible config, and backup, restore and deploy servers with?
[22:04:20] <Dereckson>	 CZauX: if you like Puppet, there is a project called https://puphpet.com/ to configure a server
[22:04:50] <Dereckson>	 Never used that, but I know someone from fr.wikipedia really fan of this configurator
[22:04:58] <Dereckson>	 it's a web GUI
[22:07:00] <CZauX>	 Isn't that all vagrant, though?
[22:40:51] <Philroc>	 i'm trying to install mediawiki
[22:41:15] <Philroc>	 but when i get to the installation, it says access is denied for user ''@'localhost'
[22:41:19] <Philroc>	 what's wrong?
[22:45:28] <saper>	 Philroc: what is your MySQL user name?
[22:45:43] <saper>	 probably something was left empty during the installation
[22:45:56] <saper>	 Philroc: have a look at your LocalSettings.php
[22:46:32] <Philroc>	 i dont have that file yet
[22:46:40] <Philroc>	 i'm at the page called "Install"
[22:46:43] <saper>	 ok
[22:46:48] <Philroc>	 the one right before you get localsettings
[22:46:54] <saper>	 so it's not fully installed yet, right
[22:47:01] <Philroc>	 yeah
[22:47:07] <saper>	 can you go back to the database settings?
[22:47:12] <Philroc>	 ok
[22:47:28] <Philroc>	 hold on
[22:47:30] <saper>	 did you give two usernames or only one?
[22:47:49] <Philroc>	 hold on
[22:47:51] <Philroc>	 im going back
[22:48:14] <Philroc>	 my database username is wikiuser
[22:48:43] <arseny92>	 ensure the sql user has all privileges on the desired database
[22:49:00] <Philroc>	 i will
[22:49:31] <Philroc>	 it has everything but grant
[22:50:08] <arseny92>	 if the user can't create databases, pre-create it and grant the privs needed, then proceed with the installation
[22:50:27] <Philroc>	 but this isn't a permission problem
[22:50:40] <Philroc>	 its a problem with logging in in the first place
[22:51:45] <Philroc>	 in case this is a problem, the wiki user has no password
[22:53:01] <saper>	 well...
[22:53:25] <arseny92>	 unless yu are setting up a test wiki on your localhost or elsewhere with restricted access, you shouldn't use blank passwords....
[22:56:03] <Philroc>	 thats exactly what im doing
[22:56:15] <Philroc>	 i just wanted to analyze a database dump
[23:02:01] <Philroc>	 so do you know what might be wrong?
[23:06:26] <saper>	 Philroc: did you create the user without a password by hand in the database?
[23:06:32] <Philroc>	 no
[23:06:47] <Philroc>	 i gave it a password, but the system made it blank for some reason
[23:07:29] <arseny92>	 then the use password option is set but the password is blank
[23:07:48] <saper>	 the system?
[23:08:25] <Philroc>	 xampp
[23:26:15] <Dereckson>	 Hey saper :) Hi.
[23:31:11] <saper>	 hey Dereckson!
[23:33:17] <saper>	 Philroc: I'd try setting the password for the user