Most secret information like database passwords are kept in LocalSettings.php,
so blacklisting that file by default would take away a lot of information an
attacker would want.
Since most commands shouldn't need to read the PHP configuration, add it to
RESTRICT_DEFAULT. People can still use:
$cmd->restrict( Shell::RESTRICT_DEFAULT & ~Shell::NO_LOCALSETTINGS );
if they need to still access LocalSettings.php
Bug: T182484
Change-Id: I4032e2706e808e9b819e92a06eff536ccf043388
+ if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
+ $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
+ }
+
if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
$cmd[] = '--noroot';
}
if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
$cmd[] = '--noroot';
}
* Apply a default set of restrictions for improved
* security out of the box.
*
* Apply a default set of restrictions for improved
* security out of the box.
*
- * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV
+ * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS
*
* @note This value will change over time to provide increased security
* by default, and is not guaranteed to be backwards-compatible.
* @since 1.31
*/
*
* @note This value will change over time to provide increased security
* by default, and is not guaranteed to be backwards-compatible.
* @since 1.31
*/
- const RESTRICT_DEFAULT = 7;
+ const RESTRICT_DEFAULT = 39;
/**
* Disallow any root access. Any setuid binaries
/**
* Disallow any root access. Any setuid binaries
+ /**
+ * Deny access to LocalSettings.php (MW_CONFIG_FILE)
+ *
+ * @since 1.31
+ */
+ const NO_LOCALSETTINGS = 32;
+
/**
* Returns a new instance of Command class
*
/**
* Returns a new instance of Command class
*
// @codingStandardsIgnoreEnd
$limit = "$IP/includes/shell/limit.sh";
$profile = "--profile=$IP/includes/shell/firejail.profile";
// @codingStandardsIgnoreEnd
$limit = "$IP/includes/shell/limit.sh";
$profile = "--profile=$IP/includes/shell/firejail.profile";
- $default = '--noroot --seccomp=@default --private-dev';
+ $blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE );
+ $default = "$blacklist --noroot --seccomp=@default --private-dev";
return [
[
'No restrictions',
return [
[
'No restrictions',