We could create a separate www-data-writable config directory for every user. I'm not quite sure of the security implications - if an attacker gains www-data access and is able to mess with PHP files executed by another user sudoing as www-data, can that be used somehow to mess with that user's original (probably more privileged) shell account?

The steps if we go that way would be roughly:

• make mwscript store the original user as some environment variable (or maybe the shell provides some way to get that, there are some suggestions here)
• add a $wgPsyShConfig global that gets passed into the Psy\Configuration constructor (or a hook or some other way of per-installation configuration settings)
• override the config dir, history file etc. settings in Wikimedia production when the current user is www-data, with a value that's based on the original username.

(That would also allow mostly fixing T186936, by disabling forking when the PHP engine is HHVM.)

shell.php -d1 will redirect all debug output to the console. I guess we could redirect it by default to null.

Either way, it relies on MediaWikiServices::resetGlobalInstance() which is not perfect - e.g. ObjectCache still holds on to the original loggers, that should probably be fixed.

For folks who don't have $XDG_CONFIG_HOME set, this tries to write to /var/www/ (presumably that's ~ for www-data)

Here's what I see in logs. Would be nice to either pass a flag telling psysh where to write this file. Writing to the that directory probably not what we want :)

Error

• service.version: 1.41.0-wmf.5
• trace.id: 1e92ddd58c7557e7b0b31e5c
• Find trace.id in Logstash

[{reqId}] {exception_url}   PHP Notice: Writing to directory /var/www/.config/psysh is not allowed.

from /srv/mediawiki-staging/php-1.41.0-wmf.5/vendor/psy/psysh/src/ConfigPaths.php(396)
#0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
#1 /srv/mediawiki-staging/php-1.41.0-wmf.5/vendor/psy/psysh/src/ConfigPaths.php(396): trigger_error(string, integer)
#2 /srv/mediawiki-staging/php-1.41.0-wmf.5/vendor/psy/psysh/src/ConfigPaths.php(425): Psy\ConfigPaths::ensureDir(string)
#3 /srv/mediawiki-staging/php-1.41.0-wmf.5/vendor/psy/psysh/src/Configuration.php(644): Psy\ConfigPaths::touchFileWithMkdir(string)
#4 /srv/mediawiki-staging/php-1.41.0-wmf.5/vendor/psy/psysh/src/Configuration.php(672): Psy\Configuration->setHistoryFile(string)
#5 /srv/mediawiki-staging/php-1.41.0-wmf.5/vendor/psy/psysh/src/Configuration.php(809): Psy\Configuration->getHistoryFile()
#6 /srv/mediawiki-staging/php-1.41.0-wmf.5/vendor/psy/psysh/src/Shell.php(96): Psy\Configuration->getReadline()
#7 /srv/mediawiki-staging/php-1.41.0-wmf.5/maintenance/shell.php(92): Psy\Shell->__construct(Psy\Configuration)
#8 /srv/mediawiki-staging/php-1.41.0-wmf.5/maintenance/includes/MaintenanceRunner.php(681): MediaWikiShell->execute()
#9 /srv/mediawiki-staging/php-1.41.0-wmf.5/maintenance/run.php(51): MediaWiki\Maintenance\MaintenanceRunner->run()
#10 /srv/mediawiki-staging/multiversion/MWScript.php(140): require_once(string)
#11 {main}

In T228041#8796673, @thcipriani wrote:

Would be nice to either pass a flag telling psysh where to write this file.

$XDG_CONFIG_HOME is that flag.

Setting a default value is blocked on the question above:

In T228041#5333208, @Tgr wrote:

We could create a separate www-data-writable config directory for every user. I'm not quite sure of the security implications - if an attacker gains www-data access and is able to mess with PHP files executed by another user sudoing as www-data, can that be used somehow to mess with that user's original (probably more privileged) shell account?