Page MenuHomePhabricator
Create Task
Maniphest T281619

/var/log/mailman/subscribe* has PII (IP addresses) from August 2020
Closed, ResolvedPublicSecurity
Actions

Description

I need to stop looking at Mailman2, sigh. I was poking around trying to find subscriber statistics for T281549 and realized that /var/log/mailman/subscribe* has entries going back to August 2020 (log rotate isn't enabled?) and it contains PII, specifically IP addresses. This is way past 90 days as specified in https://meta.wikimedia.org/wiki/Data_retention_guidelines#How_long_do_we_retain_non-public_data?

These log entries are formatted as:

Aug 12 14:03:45 2020 (some number) list name: pending <name> <email>  <IP address>

Related Objects
Search...

Event Timeline

Legoktm created this task.May 1 2021, 6:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 1 2021, 6:15 AM
Legoktm set Security to Software security bug.May 1 2021, 6:16 AM
Legoktm added projects: Security, Security-Team.
Legoktm changed the visibility from "Public (No Login Required)" to "Custom Policy".
Legoktm changed the subtype of this task from "Task" to "Security Issue".
Legoktm added a project: SRE.

(Sorry, meant to file as a security task)

Ladsgroup moved this task from Backlog to Mailman2 limitations on the Wikimedia-Mailing-lists board.May 1 2021, 11:59 AM
JFishback_WMF added a project: Privacy Engineering.May 3 2021, 3:14 PM
JFishback_WMF moved this task from Incoming to Watching on the Privacy Engineering board.
Reedy added a project: SecTeam-Processed.May 3 2021, 3:16 PM
Reedy subscribed.

Are you going to delete the really old ones straight off?

James is going to check with legal, but it's probably not going to be a major issue though.

sbassett moved this task from Incoming to Watching on the Security-Team board.May 3 2021, 3:22 PM
Ladsgroup added a comment.May 3 2021, 5:18 PM

I can just delete all IP addresses from old logs if that works.

JFishback_WMF subscribed.May 3 2021, 5:29 PM

@Ladsgroup Thanks - that would be great! Presumably this problem goes away with migration to Mailman3? Do we need to set up any kind of log rotation there to prevent this from happening again?

Legoktm added a comment.May 3 2021, 6:26 PM

If I'm reading the logrotate config correctly:

/var/log/mailman/subscribe /var/log/mailman/post {
	su root list
	monthly
	missingok
	create 0664 list list
	rotate 12
	compress
	delaycompress
        sharedscripts
        postrotate
            [ -f '/var/run/mailman/mailman.pid' ] && /usr/lib/mailman/bin/mailmanctl -q reopen || exit 0
        endscript
}

montly + rotate 12 ends up keeping logs for a whole year.

In Mailman3 we don't have a separate subscriber log (we can rely on Apache2 access logs), but I checked the logrotate config anyways and it only keeps them for 5 days max.

legoktm@lists1001:/var/log/mailman3$ cat /etc/logrotate.d/mailman3
/var/log/mailman3/mailman.log {
	daily
	rotate 5
	compress
	delaycompress
	missingok
	notifempty
	create 640 list list
	postrotate
		if /etc/init.d/mailman3 status >/dev/null; then \
		    /usr/bin/mailman-wrapper reopen >/dev/null; \
		fi;
	endscript
}
legoktm@lists1001:/var/log/mailman3$ cat /etc/logrotate.d/mailman3-web 
/var/log/mailman3/web/mailman-web.log {
	copytruncate
	daily
	rotate 5
	compress
	delaycompress
	missingok
	notifempty
	create 640 www-data www-data
}

However, that config doesn't cover bounce.log, debug.log, plugins.log, smtp.log. I'll file a separate task for that.

Ladsgroup added a comment.May 3 2021, 7:04 PM

I deleted all IPs from old subscribe files.

couldn't find anything old in logs beside subscribe. It's only post logs but they don't have any IPs in them AFAICS

Dzahn triaged this task as Medium priority.May 4 2021, 10:07 PM
JFishback_WMF added a comment.May 19 2021, 5:35 PM

Anything else that needs to be done on this?

Ladsgroup added a comment.May 24 2021, 11:26 AM

Preventing this from happening again would be an action but hopefully once we shut down mm2 (this week, fingers crossed) and after a while delete the logs, we can consider it done I assume.

Aklapper added a subtask: T282303: The Great Clean Up of Mailman2 .May 24 2021, 5:29 PM
Legoktm mentioned this in T285376: Fix Mailman3 log rotate.Jun 23 2021, 9:09 AM
Legoktm closed this task as Resolved.Jun 24 2021, 8:57 AM
Legoktm claimed this task.

I deleted everything in /var/log/mailman just now. T285376: Fix Mailman3 log rotate will take care of this for MM3.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 24 2021, 9:11 AM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jun 24 2021, 6:12 PM
Ladsgroup closed subtask T282303: The Great Clean Up of Mailman2 as Resolved.Nov 4 2021, 9:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL