Comments (8)
I don't see it as a change in security model at all. There are two cases:
- The site is a regular WordPress site, in which case it works properly
- The site is compromised, in which case it can run whatever code it wants, so interaction with this script doesn't matter
from utils.
One must take into account security considerations too. Specifically, last time I checked, wp-cli operates by evaluating the Wordpress PHP code, which is dangerous if the Wordpress files have been compromised. We do not want makemysql
to accidentally run malicious code.
from utils.
Good point. If the site is compromised, it is already able to run malicious code, so we just have to make sure that wpcli
is run with the same permissions as the user.
from utils.
Still, though, I think people expect makemysql
to be a "safe" command. Allowing it to execute arbitrary code, even as the same user, would still be a major change in the security model of this script.
from utils.
Still, I suppose there could, at least in principle, be an issue with makemysql
triggering the execution of malicious code that could, for instance, detect when the database password is being changed through wp-cli and email the new password off to the attacker. Or something.
I would suggest putting the wp-cli stuff behind a command line option, or at least having an option to skip it.
from utils.
Hi! Me and snarain worked on a small commit to the initial makemysql script that creates a db pass and assigns it to a temp file that the makemysql-real python script reads. We cant run the modified python script due to privileges but can someone could look at our commit on?
https://github.com/ocf/utils/tree/wp-automatic-db-pass
from utils.
Thanks for working on this! You should still be able to test the script locally by installing Wordpress on your personal OCF account and running the script from your home directory.
nvmd, I'm wrong about this, can a root staffer please test this? I'll be out of town for the next week and don't expect to have the time to test this.
from utils.
Done in #129, although we may want to polish some ends (like not failing when there's no wp installation)
from utils.
Related Issues (20)
- Command for managing printers in rotation HOT 3
- Move ldap-lint to puppet
- Rewrite sorry/unsorry in python HOT 2
- Give more user feedback on check/signat/etc. HOT 8
- signat weird problem HOT 5
- kill current processes on sorry HOT 2
- easywp broken HOT 2
- Update ocf-tv script
- ocf-kubernetes-deploy: allow for templating large config files with secrets
- Store .sorry and .oldshell outside of user dir HOT 3
- easywp with more function
- Write script to restore various things from backups
- Have easywp install a plugin to block REST access HOT 1
- Resurrect https://github.com/ocf/utils/pull/114 HOT 2
- Sanitize makemysql SQL queries
- minutes: distinguish between people on/not on BoD HOT 1
- check-dns should handle the no-records case specially HOT 2
- migrate-vm: strip CPU information from XML HOT 2
- paper: refund to user on a machine HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from utils.