sal tool’s Elasticsearch credentials are world-readable
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	LucasWerkmeister
	Dec 7 2022, 1:19 AM

Description

The sal tool has Elasticsearch credentials (T250024), which I suspect are supposed to be private (since other tools’ .elasticsearch.ini files generally seem to have mode 0640); however, they’re currently in a world-readable environment file.

lucaswerkmeister@tools-sgebastion-10:~$ cat ~tools.sal/SAL/.env
ES_URL=http://elasticsearch.svc.tools.eqiad1.wikimedia.cloud/
ES_USER=tools.sal
ES_PASSWORD="[REDACTED]"
#SLIM_MODE=development
SLIM_MODE=production
lucaswerkmeister@tools-sgebastion-10:~$ namei -l ~tools.sal/SAL/.env
f: /data/project/sal/SAL/.env
drwxr-xr-x root      root      /
drwxr-xr-x root      root      data
lrwxrwxrwx root      root      project -> /mnt/nfs/labstore-secondary-tools-project
drwxr-xr-x root      root        /
drwxr-xr-x root      root        mnt
drwxr-xr-x root      root        nfs
drwxr-xr-x root      root        labstore-secondary-tools-project
drwxrwsr-x tools.sal tools.sal sal
drwxr-sr-x tools.sal tools.sal SAL
-rw-r--r-- tools.sal tools.sal .env

Details

Risk Rating: Low
Author Affiliation: Wikimedia Communities

Related Objects

Mentioned Here: T250024: Elasticsearch credential request for sal

Event Timeline

LucasWerkmeister created this task.Dec 7 2022, 1:19 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 7 2022, 1:19 AM

I’m only filing this task, and not chmod’ing the file myself, because I don’t know if anything else relies on the file being readable, and because the risk of leaving it open a bit longer seems comparatively low to me.

I did a chmod 0600 on that .env file so it is no longer easily readable. I will rotate the password tomorrow.

Restricted Application added a project: User-bd808. · View Herald TranscriptDec 7 2022, 1:24 AM

👍 thanks!

I had forgotten how cumbersome this process is. Docs at https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin#Granting_a_tool_write_access_to_Elasticsearch

Thanks, @LucasWerkmeister and @bd808. Anything else to do here or can we resolve?

In T324637#8461096, @sbassett wrote:

Thanks, @LucasWerkmeister and @bd808. Anything else to do here or can we resolve?

I still haven't actually rotated the credentials yet. My desires and reality fell out of sync. I will try to make space to actually finish that today (which is slightly less flaky than saying I will do it "tomorrow").

In T324637#8461161, @bd808 wrote:

I still haven't actually rotated the credentials yet. My desires and reality fell out of sync. I will try to make space to actually finish that today (which is slightly less flaky than saying I will do it "tomorrow").

Ok, thanks!

#wikimedia-cloud 2022-12-13

[00:11]  <    bd808> !log tools.sal Rotated elasticsearch password (T324637)
[00:11]  < stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.sal/SAL

@sbassett I would appreciate it if you made this ticket public now that the vulnerability has been resolved.

In T324637#8462285, @bd808 wrote:

@sbassett I would appreciate it if you made this ticket public now that the vulnerability has been resolved.

Done.

sal tool’s Elasticsearch credentials are world-readableClosed, ResolvedPublicSecurityActions

Description

Details

Related Objects

Event Timeline

sal tool’s Elasticsearch credentials are world-readable
Closed, ResolvedPublicSecurity
Actions