shell: Add NO_LOCALSETTINGS restriction
Most secret information like database passwords are kept in LocalSettings.php, so blacklisting that file by default would take away a lot of information an attacker would want. Since most commands shouldn't need to read the PHP configuration, add it to RESTRICT_DEFAULT. People can still use: $cmd->restrict( Shell::RESTRICT_DEFAULT & ~Shell::NO_LOCALSETTINGS ); if they need to still access LocalSettings.php Bug: T182484 Change-Id: I4032e2706e808e9b819e92a06eff536ccf043388
This commit is contained in:
Kunal Mehta
parent
4b297d2aac
commit
1476429857
3 changed files with 15 additions and 3 deletions
|
|
@ -110,6 +110,10 @@ class FirejailCommand extends Command {
|
|||
}
|
||||
}
|
||||
|
||||
if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
|
||||
$cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
|
||||
}
|
||||
|
||||
if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
|
||||
$cmd[] = '--noroot';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,13 +45,13 @@ class Shell {
|
|||
* Apply a default set of restrictions for improved
|
||||
* security out of the box.
|
||||
*
|
||||
* Equal to NO_ROOT | SECCOMP | PRIVATE_DEV
|
||||
* Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS
|
||||
*
|
||||
* @note This value will change over time to provide increased security
|
||||
* by default, and is not guaranteed to be backwards-compatible.
|
||||
* @since 1.31
|
||||
*/
|
||||
const RESTRICT_DEFAULT = 7;
|
||||
const RESTRICT_DEFAULT = 39;
|
||||
|
||||
/**
|
||||
* Disallow any root access. Any setuid binaries
|
||||
|
|
@ -92,6 +92,13 @@ class Shell {
|
|||
*/
|
||||
const NO_EXECVE = 16;
|
||||
|
||||
/**
|
||||
* Deny access to LocalSettings.php (MW_CONFIG_FILE)
|
||||
*
|
||||
* @since 1.31
|
||||
*/
|
||||
const NO_LOCALSETTINGS = 32;
|
||||
|
||||
/**
|
||||
* Returns a new instance of Command class
|
||||
*
|
||||
|
|
|
|||
|
|
@ -31,7 +31,8 @@ class FirejailCommandTest extends PHPUnit_Framework_TestCase {
|
|||
// @codingStandardsIgnoreEnd
|
||||
$limit = "$IP/includes/shell/limit.sh";
|
||||
$profile = "--profile=$IP/includes/shell/firejail.profile";
|
||||
$default = '--noroot --seccomp=@default --private-dev';
|
||||
$blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE );
|
||||
$default = "$blacklist --noroot --seccomp=@default --private-dev";
|
||||
return [
|
||||
[
|
||||
'No restrictions',
|
||||
|
|
|
|||
Loading…
Reference in a new issue