Obsolete:LocalisationUpdate/Proposed permissions setup

THIS IS AN OUT OF DATE PROPOSAL. It has been implemented with some changes. See LocalisationUpdate for current documentation.

• Create a new user for LU that only pushes out LU cache files
  • This user owns the LU cache file directory
  • This user has a passphraseless SSH key in its ~/.ssh on fenari so it can dsh to the Apaches
  • Allow this user to run the LU update script as apache via sudo
• Run the cron job as this user too
• Allow wikidev users to sudo to the LU user
• Change the l10nupdate and sync-l10nupdate scripts to sudo themselves to the LU user so wikidevs can run them safely

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
sudo -u luUser /home/wikipedia/bin/sync-l10nupdate-1

Would be the current contents of sync-l10nupdate, sans the sudo -u mwdeploy bit in the rsync command.

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
sudo -u luUser /home/wikipedia/bin/l10nupdate-1

Would be the current contents of l10nupdate except that it would

• run extensions/LocalisationUpdate/update.php as apache through sudo and a wrapper shell script (l10nupdate-2)
• same for maintenance/wmf/clearMessageBlobs.php
• call sync-l10nupdate-1 directly

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
/home/wikipedia/bin/mwscript extensions/LocalisationUpdate/update.php "$@"

#! /bin/bash
# This script belongs in /home/wikipedia/bin/.
/home/wikipedia/bin/mwscript maintenance/wmf/clearMessageBlobs.php "$@"

• Add luUser ALL = (apache) NOPASSWD: /home/wikipedia/bin/l10nupdate-2 /home/wikipedia/bin/l10nupdate-3
• Allow ADMINS to run anything as luUser by adding to the user list on line 36

• Change user to luUser instead of catrope
• Change command to l10nupdate-1

• Make this owned by the LU user instead
• TODO: We'll probably also want to have multiple log files here some day, rather than just logging the last run. Needs proper log rotation and such too