Page MenuHomePhabricator
Create Task
Maniphest T287822

Bash tool credentials are world-readable on Toolforge
Closed, ResolvedPublicSecurity
Actions

Description

this is barely worth a phabricator task since it’s an owner-only consumer but the credentials of bash.toolforge.org are world-readable on toolforge and i assume they’re not supposed to be

lucaswerkmeister@tools-sgebastion-07:~$ cat ~tools.bash/quips/.env
#ES_URL=http://tools-elastic-01.tools.eqiad.wmflabs/
ES_URL=http://elasticsearch.svc.tools.eqiad1.wikimedia.cloud/
ES_USER=tools.bash
ES_PASSWORD="xxxxxxxxxxxxxxxxxxxxxxxx"
CAN_EDIT=true
CAN_VOTE=true
LOG_CHANNEL=quips
LOG_LEVEL=info
SLIM_MODE=development
USE_OAUTH=true
## bash.toolforge.org OAuth
OAUTH_CONSUMER_TOKEN=e73eaac293eaa1ba7f11952cd874f365
OAUTH_SECRET_TOKEN=xxxxxxxxxxxxxxxxxxxxxxx
OAUTH_ENDPOINT="https://www.mediawiki.org/w/index.php?title=Special:OAuth"
OAUTH_REDIR="https://www.mediawiki.org/wiki/Special:OAuth/authenticate?"
OAUTH_CALLBACK=https://bash.toolforge.org/oauth/callback
## tools.wmflabs.org/bash
#OAUTH_CONSUMER_TOKEN=aea31746a1e5d5b3e7514952f70e7035
#OAUTH_SECRET_TOKEN=xxxxxxxxxxxxxxxxxxxxxxx
#OAUTH_ENDPOINT="https://www.mediawiki.org/w/index.php?title=Special:OAuth"
#OAUTH_REDIR="https://www.mediawiki.org/wiki/Special:OAuth/authenticate?"
#OAUTH_CALLBACK=https://tools.wmflabs.org/bash/oauth/callback

can a toolforge admin or @bd808 just chmod go-rwx ~tools.bash/quips/.env and then we’ll get on with our lives and forget this ever happened

Details

Author Affiliation
Wikimedia Deutschland

Event Timeline

LucasWerkmeister created this task.Jul 31 2021, 11:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 31 2021, 11:41 PM
LucasWerkmeister added projects: Toolforge, Vuln-Infoleak.Jul 31 2021, 11:42 PM

please excuse my writing style it’s late at night and i’m tired

Reedy edited projects, added SecTeam-Processed; removed Security-Team.Aug 1 2021, 12:55 AM
Reedy subscribed.
root@tools-sgebastion-07:~# chmod go-rwx ~tools.bash/quips/.env
root@tools-sgebastion-07:~# ls -al ~tools.bash/quips/.env
-rw------- 1 tools.bash tools.bash 992 Jun  9  2020 /data/project/bash/quips/.env
LucasWerkmeister closed this task as Resolved.Aug 1 2021, 9:25 AM
LucasWerkmeister assigned this task to Reedy.

Thanks! Tool still seems to work (though I guess that could just be because it hasn’t been restarted yet).

sbassett subscribed.Aug 4 2021, 9:18 PM

@LucasWerkmeister - Is there anything on this task concerning to you or are you ok if we make this public? Thanks.

LucasWerkmeister added a comment.Aug 4 2021, 9:21 PM

Should be okay to make public, thanks.

sbassett triaged this task as Low priority.Aug 4 2021, 9:29 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits