Page MenuHomeMiraheze

[Access Request] Zppix for mw-admin
Closed, ResolvedPublic

Description

Hello, i am again applying for access for mw-admin, I have been volunteer with Miraheze for multiple years now... I run multiple bots for miraheze, I now hold a Cisco Certified Entry Network Tech certification. I hope that you consider my request, i will answer any/all questions you may have.

Event Timeline

Zppix created this task.Sun, Oct 6, 23:11
Zppix moved this task from Radar to Access on the Operations board.Sun, Oct 6, 23:12
Zppix added a comment.EditedMon, Oct 7, 00:00

From a PM between me and @Southparkfan :

I want to permanently delete all archived files for a wiki, however, the maintenance script puts a very high load on the MediaWiki server. Linux offers a way (for any command you execute) to reduce processing priority. What is the full command you would run?
Using the nice command for example sudo -u www-data nice -3 php /srv/Mediawiki/w/maintenance/deleteArchivedFiles.php --wiki wikidb --delete --force
What is the cryptographic protocol we use for HTTPS?
TLS
Your access request has been approved. Since we are dealing with access to sensitive information, how would you mitigate the risk of your account (on-wiki, SSH, mail, etc) being compromised? What technologies could help to prevent malicious access to your account?
2fa, and regular password changes, longer keypairs
Before a web request reaches the MediaWiki server, it goes through a cache proxy. Why do we have cache proxies and why are they located in multiple countries?
Cache proxies can help relieve stress off the webserver by caching certain pages and displaying the cached page to a user rather then a live page, we have them in multiple countries to help with potential latency issues
What piece of software does Miraheze use for storing MediaWiki sessions? (hint: cache)
Redis
How much experience do you have with mitigating XSS, CSRF and SQL injection vulnerabilties? Are you familiar with extension reviews?
I dont have much experience with this but I am working towards getting my CompTIA Security +
Miraheze's infrastructure is fully virtualised, however, various virtualisation types are used. What are mw[1-4] running on?
OpenVZ
For some reason php-fpm or nginx crashed or stopped. While backend servers are automatically depooled in order to keep the site running, loss of a backend means less capacity for serving traffic. How would you try to find out why the process crashed?
I would check any available logs in /var/logs/nginx, journalctl, and/or systemctl status
On a scale of 1 till 5, rate your experience with:
Database (SQL, MariaDB, Postgres) 2
Frontend (Varnish/NGINX) 2
MediaWiki in enterprise/production environments 2
MediaWiki services (Electron/Proton, Restbase, etc) 2
Networking (routing / switchting) 3 (I have a CCENT)
SELinux / Security in Linux 3

John awarded a token.Thu, Oct 10, 15:32
RhinosF1 added a comment.EditedThu, Oct 10, 15:38

I don't get a vote but if I could +1 from me for sure, we need more people to slowly fry (Erm, fix) the servers. (See if you can remember where I stole that from.)

Jokes aside,

I've worked with Zppix on quite a few things are they're excellent to work with and very trustworthy.

Paladox added a comment.Thu, Oct 10, 18:24

I approve, the description on what they can do is detailed. This is also a great learning experience too!

Andreas awarded a token.Fri, Oct 11, 01:34
Andreas added a subscriber: Andreas.

+1 lgtm

Reception123 triaged this task as Normal priority.Sat, Oct 12, 07:55

I've known and worked with Zppix on a few things (such as ZppixBot) in the past, so I don't think I'd have any issues with this request. Would like to ask some extra questions though, as I usually do.

  1. If you became mw-admin what would you mainly do?
  1. Do you see yourself as being active in your role?
  1. What would you do if there's an issue but you don't know how to handle it?
  1. How would you install a new MediaWiki extension? (detailed steps)
  1. What would you do if a user sends an email and asks that you remove the 2FA from their account because they lost their codes?
  1. How would you import images if a user requests an import on Phabricator of file examplewiki.xml for examplewiki ? (full command)
  1. How would you check what processes are running on a server?
Zppix added a comment.EditedSat, Oct 12, 14:07
If you became mw-admin what would you mainly do?

I would help imports, troubleshooting potiental issues

Do you see yourself as being active in your role?

yes

What would you do if there's an issue but you don't know how to handle it?

Ask another sysadmin for help

How would you install a new MediaWiki extension? (detailed steps)

I'm not entirely sure but willing to learn

What would you do if a user sends an email and asks that you remove the 2FA from their account because they lost their codes?

Ask them to verify they are the account creator by using a committed identity or some other form of verification

How would you import images if a user requests an import on Phabricator of file examplewiki.xml for examplewiki ? (full command)

sudo -u www-data php importImages.php --wiki wikidb /path/to/file/ (NOTE: I edited it as i had a brain fart and reverse the order for the -u param.)

How would you check what processes are running on a server?

htop

For number 6, how would you get it from Phabricator to mw*?

Zppix added a comment.Sat, Oct 12, 15:50

For number 6, how would you get it from Phabricator to mw*?

wget, seems like the easiest way to do that

Okay, there are some things to be improved but I trust that with guidance Zppix will make a good mw-admin, so +1 from me.

RhinosF1 assigned this task to NDKilla.EditedMon, Oct 14, 06:02

Waiting on you

Zppix added a comment.Mon, Oct 14, 23:08

My public ssh key for use is at, P231 preferred shell username is zppix or zppix1

NDKilla awarded a token.Tue, Oct 15, 00:35

Approved.

This is a side issue but pending other staff approval, could we bridge irc #miraheze-staff and discord #staff since the bot manager will be staff now, or are there objections to that?

NDKilla removed NDKilla as the assignee of this task.Tue, Oct 15, 00:38
NDKilla added a comment.Tue, Oct 15, 02:53

misc bc i did like.. 1% of onboarding

flags set in #miraheze,#miraheze-offtopic, #miraheze-staff

discord role granted

Granted so far:

  • Security access on Phabricator
  • IRC flags

Can you provide your GitHub and on-wiki username? Please ensure your GitHub, on-wiki AND Phabricator accounts are all secured using 2FA.

Also:

southparkfan@mw1:~$ ssh-keygen -lf id_rsa
2048 SHA256:VTxY1tC92UDJC7t2fMBO2TGDvX0vPiQlLXaZUee6KnI support@zppixballee.com

Per our access policy, 2048 bit keys are prohibited. Please use at least 4096 bits or use an ed25519 key. It is up to you which one you choose, you don't need to have both either.

You will also get your own @miraheze.org mail address, please tell me which username you like (<username>@miraheze.org). Please also let me know if you want to be added to icinga/matomo/grafana and if you would like to receive icinga mails (if so, please state for which servers/services).

Zppix added a comment.Tue, Oct 15, 15:43

Zppix for onwiki, Pix1234, both with 2fa I will 4096 Key will be generated asap and zppix@miraheze is fine and i want all icinga matomo grafana, and i want all emails for mw*

Done:

  • On-wiki
  • Mail (password provided to Zppix)
  • Phabricator
  • IRC
  • GitHub
  • Matomo (reset password via mail)

To-do:

  • Shell (waiting for new keypair)
  • Icinga
  • Grafana

@Southparkfan: Has admin/member been given on staff wiki?

Also make sure @Zppix, that things Actually show on Icinga when it's done and all wikis come up in matomo as they must be in read groups which were missed when I was on boarded.

Staff wiki sysop, icinga and grafana given.

Southparkfan closed this task as Resolved.Tue, Oct 15, 17:26
Southparkfan claimed this task.

And shell has been given as well.