Page MenuHomePhabricator

"last" command on WMF Labs/Tools allows users to view IPs of other toolforge users
Closed, ResolvedPublic

Description

Not sure if this classifies as a security issue or is known, but any user connected via SSH to Labs can use the "last" command and find the IPs of all the recent users on there.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2017, 6:49 PM
Bawolff added subscribers: bd808, Bawolff.

My initial reaction would be that this is probably working as intended, but I'm not really sure what the privacy model for tool labs is.

bd808 added a comment.Aug 7 2017, 5:18 AM

Some shared hosting environments do remove or alter tools like last, w, ps, and others that could leak sensitive or semi-sensitive information about other users and processes on the host. To my knowledge, Tool Labs/Toolforge has ever done this. I would be surprised to find out that Toolserver did it either. The information is not made available to the general public. This information is only disclosed to other Toolforge project members.

I think we can probably make this more obvious somewhere in the signup process and/or the on-wiki help.

Wouldn't the idea to remove those options also be up for discussion? There really is absolutely no need for "last" and probably the other commands to be used by "regular users". Toolforge/Labs access is not too hard to get, so anyone could "easily" get access to the sensitive/semi-sensitive information.

This probably needs some more serious discussion about the nature of tenants within Toolforge. Offhand we could set perms on utilities of this kind that do not allow everyone to run them, but roots/admins obviously have need. But their is a long tail of information available about Tool owners to other Tool owners within the ecosystem and I'm not sure our comfort level with that has ever been well defined.

bd808 added a comment.Aug 7 2017, 9:30 PM

But their is a long tail of information available about Tool owners to other Tool owners within the ecosystem and I'm not sure our comfort level with that has ever been well defined.

The long tail is really my main concern. If we state that cross user information disclosure should not happen I'm afraid that we will either have to shutdown Toolforge or block significant portions of functionality that current project members use. Using a per-user chroot would certainly break many Toolforge workflows. Finding and removing/chmod'ing all of the things that users chould use to find information on other users and processes without chroot protections seems like a never ending game of whack-a-mole. The environment provides compilers and interpreted languages with easy access to system level apis, so merely chmoding standard system utilities will not be enough to block all cross-process information disclosure.

The original report is about IP address disclosure. I really think the answer to that concern is disclosing that this is a possibility and that individuals who are concerned that their IP address remain undisclosed should either not participate in the Toolforge project as maintainers or take other actions such as the use of TOR or an anonymizing proxy when connecting to Toolforge via ssh.

I wasn't sure if TOR/proxies were permitted while connecting to Toolforge, so if this option is preferred rather than limiting user options, as mentioned above it should be made more clear before registering.

Bawolff renamed this task from "last" command accessible via WMF Labs/Tools to "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users.Aug 17 2017, 5:56 PM
Bawolff added a project: Privacy.
Bawolff added a subscriber: APalmer_WMF.

FWIW, I support stating clearly at sign-up time that origin IP addresses are not private when using labs/toolforge. I don't believe we have the resources to fully lockdown all mechanisms of accessing this information, as @bd808 mentions above.

A general notice about the nature of shared platforms that includes the ability for other users to gather connected IP addresses as well as determine status of users and such seems worthwhile.

chasemp triaged this task as Medium priority.Aug 17 2017, 6:39 PM

I think we should remove the restrictive security ACL here. This is a policy and notification issue rather than a sensitive security issue.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 17 2017, 8:46 PM

I think we should remove the restrictive security ACL here. This is a policy and notification issue rather than a sensitive security issue.

Ok, its public.

Krenair added a subscriber: Krenair.EditedAug 17 2017, 8:52 PM

who is another such tool IIRC. But I agree we should just make it clearer that such sharing is expected.

It's not restricted to toolforge users, since you can do that on bastions as well.

Maybe we could consider some extra hop box that only allows normal users to
run SSH, and nothing else?

That would work on bastions I guess, but for toolforge bastions there are some commands more that are needed.

bd808 added a comment.Aug 21 2017, 7:59 PM

Maybe we could consider some extra hop box that only allows normal users to
run SSH, and nothing else?

This could be worth forking another task to discuss, but even if we found that this was greatly desired it would probably end up being low priority to implement. As @Luke081515 mentions this would be more likely to be workable for the normal Cloud VPS bastions than for the Toolforge bastions which really are not bastions in any traditional sense and instead are deployment and interactive shell hosts.

There are some (undocumented?) ideas about building a new interactive shell solution for Toolforge that could make isolation between users better not only for privacy but also for resource limit enforcement. That project is not on any concrete implementation timeline yet though.

bd808 closed this task as Resolved.Aug 24 2017, 12:56 AM
bd808 claimed this task.

Account creation in both wikitech.wikimedia.org and Striker now warn of potential for IP address disclosure.

Restricted Application added a project: User-bd808. · View Herald TranscriptAug 24 2017, 12:57 AM
sbassett moved this task from Intake to Done on the Privacy board.Oct 16 2019, 5:46 PM
bd808 moved this task from To Do to Done on the User-bd808 board.Jul 15 2020, 9:17 PM