Page MenuHomePhabricator

tools-puppetmaster-02 allows any toolforge user to log in and view secrets
Closed, ResolvedPublicSecurity

Description

Any Toolforge user can log in to tools-puppetmaster-02 and read any file located under /var/lib/git/labs/private, including files modified in local commits containing Toolforge secrets (obviously I didn't look at the contents of any actual secret files, but I did look at the list of affected files using git log --name-only --pretty=oneline, and using ls -a shows that they are world readable).

There might be similar security vulns on other "internal" Toolforge nodes that can be accessed by any Toolforge user or on other shared projects.

Details

Author Affiliation
Wikimedia Communities

Event Timeline

Bstorm moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.
Bstorm added a subscriber: Bstorm.

I can confirm this doesn't have the appropriate "infrastructure warning" that comes with the blocking code for logins. I can probably just add the profile to the prefix in horizon to fix it.

I've added the profile::toolforge::infrastructure that blocks this. That should be applied to any server that isn't for public login in the tools project, but it was missed on a puppetmaster rebuild.

This change is the root cause of T287037: toolsbeta remote crontab is broken. Cron servers need to be treated like bastions in the tools/toolsbeta projects.

bd808 changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 20 2021, 9:27 PM