Obsolete:LocalisationUpdate/Proposed permissions setup

THIS IS AN OUT OF DATE PROPOSAL. It has been implemented with some changes. See LocalisationUpdate for current documentation.

Summary of changes

Create a new user for LU that only pushes out LU cache files
- This user owns the LU cache file directory
- This user has a passphraseless SSH key in its ~/.ssh on fenari so it can dsh to the Apaches
- Allow this user to run the LU update script as apache via sudo
Run the cron job as this user too
Allow wikidev users to sudo to the LU user
Change the l10nupdate and sync-l10nupdate scripts to sudo themselves to the LU user so wikidevs can run them safely

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
sudo -u luUser /home/wikipedia/bin/sync-l10nupdate-1

Would be the current contents of sync-l10nupdate, sans the sudo -u mwdeploy bit in the rsync command.

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
sudo -u luUser /home/wikipedia/bin/l10nupdate-1

Would be the current contents of l10nupdate except that it would

run extensions/LocalisationUpdate/update.php as apache through sudo and a wrapper shell script (l10nupdate-2)
same for maintenance/wmf/clearMessageBlobs.php
call sync-l10nupdate-1 directly

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
/home/wikipedia/bin/mwscript extensions/LocalisationUpdate/update.php "$@"

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
/home/wikipedia/bin/mwscript maintenance/wmf/clearMessageBlobs.php "$@"

Add luUser ALL = (apache) NOPASSWD: /home/wikipedia/bin/l10nupdate-2 /home/wikipedia/bin/l10nupdate-3
Allow ADMINS to run anything as luUser by adding to the user list on line 36

Make this owned by the LU user instead
TODO: We'll probably also want to have multiple log files here some day, rather than just logging the last run. Needs proper log rotation and such too