Proposal for a sudo-like behavior for admin operations

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
Ambox outdated content.svg

This page is kept for historical interest. Its content is outdated or may be wrong.

You may find more up-to-date information on the www.mediawiki.org website.

MediaWiki logo

This page proposed a feature that has a "sudo"-like behavior for any admin operation.

Summary[edit]

This feature introduces the admin session protection by requiring to re-enter their password to use any admin operation (a feature like "sudo"). It will depend on the wiki config to allow admin user to setup the session expire time (or to not expire at all) in his/her preferences.

Description[edit]

This is a feature that has a "sudo"-like behavior for any admin operation.

For admins (sysop, bureaucrat) to be required to re-enter their password to use any admin operation,

  1. When the admin user first login, they have all privileges with exactly the same as normal login user.
  2. When the admin user first click the link that require admin privileges (such as, delete, protect, block user), they will be prompted with password dialog box. They must re-enter their password to gain the admin privilege session, so that they can continue the admin operation.
  3. They won't be required to re-enter the password, to do any subsequent admin operation, within the limited expiration time (since last admin operation).
  4. The session with admin privilege will expire, after a limited time since last admin operation.
  5. When the session expire, they need to re-enter the password, to do the subsequent admin operation.
  6. Must have logs for every admin operation. Not only delete/protect/block operations which are already logged, the other admin operations, such as, viewing the deleted page, editing the protected page, rollback the page, should also be logged.
  7. Optionally, the admin may be required to give their reason to view any deleted page. The reason will be shown in the log that record the viewing of deleted page.
  8. It will depend on the config on each wiki project to allow admin user to setup the session expire time (or to not expire at all) in his/her preferences.
  9. When upgrading mediawiki, the admin session expire time will be, by default, not expire at all, to not have impact on the existing project.

Rationale[edit]

Why this feature?

  1. For admin to not overuse the admin-privileged operation.
  2. For admin to always recall that their power must be used carefully.
  3. To allow normal user to track any admin user, the use of their privileged power.
    • For example, to track the viewing of the deleted page is important. Since the normal user have no privilege to view that page, then the admin user shouldn't view the deleted page for his personal use or benefit, or to gain any advantage over normal user. The admin should only view the deleted page for the non-personal reason.
    • How can the admin gain benefit from viewing the deleted page? Yes, they can use the deleted page as a place to keep their personal content, the content that isn't allowed in wikipedia. They may first tell another anonymous user to put their personal content into wikipedia. The admin will then delete that page, while the admin can, later, still view and use that deleted page whenever they need.
  4. To explicitly distinguish of the moment when the admin is editing the page, they are editing on behalf of an admin, or of just a normal login user. So that admin will always recall at the moment of editing that, they are editing the page on behalf of an admin or of a normal user.
  5. For security reason, that some admin don't want to login as admin all the time. The admin can choose to login permanently, but only as a normal user (with no admin privilege), so they don't have to worry about someone to come to use their admin operation on their machine. Like in UNIX system, they usually don't use the root (by su or sudo) all the time.
  6. Some new projects using mediawiki may want this feature.

Counterpoints[edit]

  • Oblying the admins to retype their password once and again would break the remember me advatage. --14:58, 10 May 2006 Platonides
    • It is admin session that is not remembered, but the user session is still remembered. The admin user can still editing the pages on behalf of a normal user. The admin session should never be remembered, for the sake of security reason, isn't it? Like in UNIX system, they shouldn't use the root (by su or sudo) all the time. --Ans 12:06, 15 May 2006 (UTC)
      • Some vandal-fighting tools give the direct link to the delete when it's obvious. So i only doubleclick it, a new tab appears, i see the content on the deletion reason, that there's no history and press delete. It's done in seconds. But then it show me: Sorry, your session has expired. So i lose more time on the password entry than on checking if it needs deletion.
  • As stated on bugzilla, editing protected pages, and page rollback is already logged on the page history. Moreover it wouldn't make sense to log the rollover functions. So am i a better admin if instead of using the Revert link i use popups.js to do the same? --14:58, 10 May 2006 Platonides
    • That applies only to the admin with technical knowledge? --Ans 12:06, 15 May 2006 (UTC)
      • Of course, you need to know it exists ;) But it seems to me like be careful, you wil be judged on that use Platonides 14:15, 15 May 2006 (UTC)

Why not this feature?

  1. Can you provide an example of non-detectable admin-privileged operation overuse? --14:58, 10 May 2006 Platonides
    • The only non-detectable is viewing deleted page. Eventhough most are detectable, but the feature will always remind the admin ethic before doing things. --Ans 12:06, 15 May 2006 (UTC)
      • I argued about it below. And i was asking about overuse. Platonides 14:15, 15 May 2006 (UTC)
  1. You could set on the MediaWiki: namespace of admin-only pages: "<marquee>Your power must be used carefully</marquee>" :P --14:58, 10 May 2006 Platonides
    • This feature is a more efficient reminder :) --Ans 12:06, 15 May 2006 (UTC)
  2. Admins do not use privileged power for seeing deleted pages.
    • I don't go seeking deleted page for personal use or benefit! If someone sees a deleted page is because he doesn't know what it has. He sees that there are deleted edits and as he doesn't know priorly if it is related or not to his current work on that page, he goes and see it.
    • Normal (troll) users would say you have a deleted page there. Why don't you show it?. Thus several admins would need to see it to verify what it is (new entries on the log! So it is somethng important!) and repeat to that user that it's a copyvio.
    • I they wanted to set in wikipedia forbidden content that almost nobody can see... Wouldn't make much more sense asking the anonymous to directly send the page to him? If he were to see that page many times he would save the page in his/her hard disk. So multiple views would be as normal first-time views. Moreover, if he wanted to have it on a public wiki, he could set up his own wiki/webpage. --14:58, 10 May 2006 Platonides
      • It is possible that some admin will use wiki as the online storage for their copyvio content. Some may need to keep the contents online, not only in their harddisk, so that they can use the contents from anywhere. Eventhough they can put it in other free web service, but some admin may be unreasonable, and use wiki as their personal content storage, and no one can detect those use, if no log for viewing deleted page. --Ans 12:06, 15 May 2006 (UTC)
        • I think it really complicated.
  3. If he has used his powers recently he would see no difference. As previous, change the text saying it's protected to remember them. --14:58, 10 May 2006 Platonides
    • Sorry, I really don't understand what this sentence mean. --Ans 12:06, 15 May 2006 (UTC)
      • About remembering him if it's protected or not. If they've just deleted something, they wouldn't need to enter its password. You're as before. Platonides 14:15, 15 May 2006 (UTC)
  4. Anyone can detect an edit to a protected page by seeing if that edit is done between has protected and has unprotected events. --14:58, 10 May 2006 Platonides
    • I accept and realize this. It may be the optional feature to allow tracking of editing protected page more easier. --Ans 12:06, 15 May 2006 (UTC)

Summary[edit]

It seems to me that your're not really trusting your admins. So you want to have everything under control. Maybe that people doesn't derve being sysops? I remember you, you can change your preferences so sysops don't have access to view deleted pages, so they only can see deletion history, or neither it! the same applies to revert and other functionalities. Platonides 14:21, 15 May 2006 (UTC)

Related links[edit]