The sal tool has Elasticsearch credentials (T250024), which I suspect are supposed to be private (since other tools’ .elasticsearch.ini files generally seem to have mode 0640); however, they’re currently in a world-readable environment file.
lucaswerkmeister@tools-sgebastion-10:~$ cat ~tools.sal/SAL/.env ES_URL=http://elasticsearch.svc.tools.eqiad1.wikimedia.cloud/ ES_USER=tools.sal ES_PASSWORD="[REDACTED]" #SLIM_MODE=development SLIM_MODE=production lucaswerkmeister@tools-sgebastion-10:~$ namei -l ~tools.sal/SAL/.env f: /data/project/sal/SAL/.env drwxr-xr-x root root / drwxr-xr-x root root data lrwxrwxrwx root root project -> /mnt/nfs/labstore-secondary-tools-project drwxr-xr-x root root / drwxr-xr-x root root mnt drwxr-xr-x root root nfs drwxr-xr-x root root labstore-secondary-tools-project drwxrwsr-x tools.sal tools.sal sal drwxr-sr-x tools.sal tools.sal SAL -rw-r--r-- tools.sal tools.sal .env