Page MenuHomePhabricator
Create Task
Maniphest T277756

tools-puppetmaster-02 allows any toolforge user to log in and view secrets
Closed, ResolvedPublicSecurity
Actions

Description

Any Toolforge user can log in to tools-puppetmaster-02 and read any file located under /var/lib/git/labs/private, including files modified in local commits containing Toolforge secrets (obviously I didn't look at the contents of any actual secret files, but I did look at the list of affected files using git log --name-only --pretty=oneline, and using ls -a shows that they are world readable).

There might be similar security vulns on other "internal" Toolforge nodes that can be accessed by any Toolforge user or on other shared projects.

Details

Author Affiliation
Wikimedia Communities
ProjectBranchLines +/-Subject
operations/puppetproduction+14 -11toolforge: set up an "opt out" of the infrastructure profile
Customize query in gerrit

Related Objects

Event Timeline

taavi created this task.Mar 18 2021, 2:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 18 2021, 2:12 PM
taavi added projects: cloud-services-team (Kanban), Toolforge.Mar 18 2021, 2:12 PM
Bstorm claimed this task.Mar 18 2021, 3:47 PM
Bstorm moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.
Bstorm added a subscriber: Bstorm.

I can confirm this doesn't have the appropriate "infrastructure warning" that comes with the blocking code for logins. I can probably just add the profile to the prefix in horizon to fix it.

Bstorm closed this task as Resolved.Mar 18 2021, 4:20 PM

I've added the profile::toolforge::infrastructure that blocks this. That should be applied to any server that isn't for public login in the tools project, but it was missed on a puppetmaster rebuild.

aborrero mentioned this in T277778: Toolforge: consider decoupling user & accounts from CloudVPS accounts.Mar 18 2021, 4:52 PM
bd808 added a subscriber: bd808.Jul 20 2021, 9:18 PM

This change is the root cause of T287037: toolsbeta remote crontab is broken. Cron servers need to be treated like bastions in the tools/toolsbeta projects.

bd808 changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 20 2021, 9:27 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jul 20 2021, 9:48 PM
sbassett added a project: SecTeam-Processed.
Zabe added a project: Vuln-Infoleak.Sep 25 2021, 1:53 PM
Zabe added a subscriber: Zabe.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL