Page MenuHomePhabricator

Leaked enwp10 replica.my.cnf/WP 1.0 bot botpassword credentials to Github
Closed, ResolvedPublicSecurity

Description

I accidentally committed a file with the replica.my.cnf credentials in it to Github. I have removed the file, but as Github warns, passwords should be considered compromised as soon as they hit the Github servers.

Please reset the credentials, thank you!

Event Timeline

I also leaked the "bot password" for the WP 1.0 Bot. I don't know where or how to reset or rescind this password. When I log into mediawiki.org I see "Audiodude@WP_1.0_bot" but I believe that makes edits as my user account. The account I need to reset is "WP 1.0 bot@WP_1.0_bot"

I regenerated these creds with

sudo /usr/local/sbin/maintain-dbusers delete tmoney --account-type=user

...and... after doing the wrong thing I also did the right thing:

sudo /usr/local/sbin/maintain-dbusers delete tools.enwp10

I have no idea what to do about the bot password; hoping one of the cc'd folks will have a clue about that.

Thank you so much Andrew! How do I get new credentials?

I've got a new replica.my.cnf, but I'm getting the following:

tools.enwp10@tools-sgebastion-08:~$ sql local
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 306364306
Server version: 10.1.39-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use sXXXXX_enwp10;
ERROR 1044 (42000): Access denied for user 'sXXXXX'@'%' to database 'sXXXXX_enwp10'

where XXXXX is the user id. The web tool is getting the same error.

Visit Special:BotPasswords. Re-auth; both password and 2FA will be needed if you use 2FA.

Click on the relevant entry under "Existing bot passwords".

Check "Reset password" and then click update at the bottom. It will give you a new password.

The account I need to reset is "WP 1.0 bot@WP_1.0_bot"

The left hand side is the wiki username, the right hand side is the BotPassword.

You therefore need to login as WP 1.0 bot and then select WP_1.0_bot as the "Existing bot password`.

On the next page it should display WP 1.0 bot@WP_1.0_bot as the "username"

Thank you for this information, but I don't have access to the login password for WP 1.0 bot, I only have the bot password.

Regarding https://phabricator.wikimedia.org/T269513#6671553 it looks like the credentials in replica.my.cnf allow login access to the databases, but the user doesn't have permissions to s51114_enwp10 which is the name of the database that the tool uses on tools.db.svc.eqiad.wmflabs. Would it be possible to grant permissions?

Thank you for this information, but I don't have access to the login password for WP 1.0 bot, I only have the bot password.

How do you not have the login password for it? Does someone else?

How do you not have the login password for it? Does someone else?

I inherited this project but it was already many years old at that point. I found the bot password on toolforge and have been using it, but I didn't generate it.

I don't know who might have the login password, or whose email is associated with the account.

Who properly owns the bot?

https://en.wikipedia.org/wiki/User:WP_1.0_bot lists @Kelson too, does he have the password?

I see it does (or did) have a confirmed email address (not Kelson). Which is also the same email on numerous accounts, including Mathbot and numerous more user accounts. But with the email being for an .edu email, it's certainly possible it may no longer work. That seems to be @OlegAlexandrov who is still active on enwiki. CC'd them to this task...

While I can manually invalidate the BotPassword (and have done that now), I cannot in good conscience generate a new one. I imagine running the bot without actual control of the bot (knowing the password, having access to the email address etc) would be frowned upon by most communities.

I can email the current confirmed email later (either tonight, or tomorrow) and see if they respond. If they don't (or reply on here), I don't think there's any way we can give you control of the account, and you may need/want to setup another bot account to use in future

As a backup of the config/rights/restrictions:

MariaDB [metawiki]> select bp_user, bp_app_id, bp_restrictions, bp_grants from bot_passwords where bp_user = 16895388;
+----------+------------+--------------------------------------+-------------------------------------------+
| bp_user  | bp_app_id  | bp_restrictions                      | bp_grants                                 |
+----------+------------+--------------------------------------+-------------------------------------------+
| 16895388 | WP_1.0_bot | {"IPAddresses":["0.0.0.0/0","::/0"]} | ["basic","editpage","createeditmovepage"] |
+----------+------------+--------------------------------------+-------------------------------------------+
1 row in set (0.00 sec)
Reedy renamed this task from Leaked enwp10 replica.my.cnf credentials to Github to Leaked enwp10 replica.my.cnf/WP 1.0 bot botpassword credentials to Github.Dec 6 2020, 9:35 PM

ERROR 1044 (42000): Access denied for user 'sXXXXX'@'%' to database 'sXXXXX_enwp10'

Your db user name is not a secret, so just to make continued debugging easier in this case the username is s51114. Here are the user rights for that account on the ToolsDB system:

MariaDB [(none)]> show grants for s51114;
+-------------------------------------------------------------------------------------------------------+
| Grants for s51114@%                                                                                   |
+-------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 's51114'@'%' IDENTIFIED BY PASSWORD 'REDACTED' |
| GRANT ALL PRIVILEGES ON `s51114\_\_%`.* TO 's51114'@'%'                                               |
| GRANT SELECT, SHOW VIEW ON `%\_p`.* TO 's51114'@'%'                                                   |
+-------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)

The database name s51114_enwp10 is not valid for the authentication grants that we setup for all ToolsDB users. The naming convention for databases is {username}__{dbname} with two _ characters, not one. As can be seen at https://tool-db-usage.toolforge.org/owner/s51114, the s51114_enwp10 database actually does exist. I assume that this db is quite old and that prior to the purge of the leaked credentials there was a grant that allowed access to this legacy db which no longer matches the naming conventions and default grants.

The database name s51114_enwp10 is not valid for the authentication grants that we setup for all ToolsDB users. The naming convention for databases is {username}__{dbname} with two _ characters, not one. As can be seen at https://tool-db-usage.toolforge.org/owner/s51114, the s51114_enwp10 database actually does exist. I assume that this db is quite old and that prior to the purge of the leaked credentials there was a grant that allowed access to this legacy db which no longer matches the naming conventions and default grants.

I have manually added a grant on both ToolsDB instances for this legacy database name:

MariaDB [s51114_enwp10]> GRANT ALL PRIVILEGES ON `s51114\_enwp10`.* TO 's51114'@'%';
Query OK, 0 rows affected (0.01 sec)

Because this is a manual addition to the grants it is fragile. A future credentials reset or future rebuilds of the ToolsDB infrastructure may omit the needed grant. I would personally suggest creating a new database that follows the expected naming conventions (https://wikitech.wikimedia.org/wiki/Help:Toolforge/Database#User_databases) and migrating your tool's data to it.

You are correct, this database is quite old. Thank you for your help with this, I have confirmed that I can read from the database again.

Andrew triaged this task as Medium priority.Dec 8 2020, 5:10 PM
Andrew moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.

That seems to be @OlegAlexandrov who is still active on enwiki. CC'd them to this task...

I reached out to Oleg on their Wikipedia user talk page but they said that they tried to reset the password and didn't get an email. I mentioned in a reply that the email is .edu as stated here, I don't know if that helps at all. They also pointed out (correctly) that they don't have a way of securely passing a new bot password to me or anyone else.

Not sure what to do at this point.

They also pointed out (correctly) that they don't have a way of securely passing a new bot password to me or anyone else.

PGP? Give them access to the tool, and let them write it to a file on disk?

I note the bot and his seemingly previous accounts are all on the edu email. The account you messaged is the oldest, the others are quite a few new years newer.

I guess you give him some time to see if he is just checking the wrong address, and if he still has access to that edu email.

If not, it's probably an account recovery via Trust-and-Safety

PGP won't help here. Even if I knew the password, which I don't, as my own
email address is not .edu, so it changed after I had the bot account, how
am I supposed to know that you folks are who you claim you are? I think you
should indeed attempt to do an account recovery according to accepted
procedures.

PGP won't help here. Even if I knew the password, which I don't, as my own
email address is not .edu, so it changed after I had the bot account, how
am I supposed to know that you folks are who you claim you are? I think you
should indeed attempt to do an account recovery according to accepted
procedures.

PGP was the solution to "a way of securely passing a new bot password to [...] anyone else"

You're the (current) owner of the account. You would need to do the recovery. No one is going to just give the account to someone else.

The .edu email address would suggest it belonged to someone with your name.

Considering you claim to run https://en.wikipedia.org/wiki/User:Mathbot that bot also has the same email as WP 1.0 bot (and 5 other accounts.. Two of which confirmed the email in 2006 and 2007).... That bot is active, and is still attached to that same edu email... I don't believe "it changed" after you had the bot account. You obviously had access to that email at some point

If that email is no longer correct (or you no longer have access to it), you should be changing it on that other Bot account too, otherwise if you lose access, you're going to be stuck there too.

You're the (current) owner of the account. You would need to do the
recovery. No one is going to just give the account to someone else.

The .edu email address would suggest it belonged to someone with your name.

Considering you claim to run https://en.wikipedia.org/wiki/User:Mathbot
that bot also has the same email as WP 1.0 bot (and 5 other accounts.. Two
of which confirmed the email in 2006 and 2007).... That bot is active, and
is still attached to that same edu email... I don't believe "it changed"
after you had the bot account. You obviously had access to that email at
some point

If that email is no longer correct (or you no longer have access to it),
you should be changing it on that other Bot account too, otherwise if you
lose access, you're going to be stuck there too.

Well, that's a good point. Apparently I can't recover the password even for
User:Mathbot, and that one is surely mine. So maybe WP 1.0 bot is still
mine, and in the same situation. I no longer have access to the .edu email
address.

So, as much as I wish to help, I can't. Is there a way for any of you to
appeal directly to whoever manages the database? And you are welcome to
take ownership of the WP 1.0 bot account, as it has been 10 years since I
had anything to do with it.

I have found the password for "WP 1.0 bot" (Thank you backup!)

Should T269898: Bot needs account unlocked be merged here? Or is there anything that can be done publically there?

Should T269898: Bot needs account unlocked be merged here? Or is there anything that can be done publically there?

I'm not sure what merging would mean, but T269898: Bot needs account unlocked is a consequence of the situation described in this ticket, yes. I'm just wondering if anyone can reset the login attempts for the bot account now that we have the password.

Is there anything else to be done at this point? If not, is there a reason to keep this private, or can we publish it (as we usually do with security tasks)?

Yes it's all resolved now, you can publish it if you like, I don't have an opinion and am not familiar with the policy.

Audiodude claimed this task.
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 11 2020, 1:05 AM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".