Page MenuHomePhabricator
Create Task
Maniphest T337140

Files created in a tool's home directory can be read by other tools
Closed, DeclinedPublic
Actions

Description

Today I talked with ACooper about a potential security risk in Toolforge, and I did some investigation with @aborrero.

The permissions of a tool's home directory /data/project/<tool> are 755, so anyone can traverse it. The umask in Toolforge bastions is 022 (the Debian default), so any new file that you create as a tool user (after running become $toolname) has rw-r--r-- permissions.

This means that files created in a tool's home directory /data/project/<tool> can be read by any other tool account, which maybe is required by some use cases but could be different from what some users expect. This might lead some users to write sensitive data (e.g. credentials) in their tool's home directory and exposing that data to other users without intending to do so.

This does not affect the files created automatically by maintain-dbusers (like replica.my.cnf containing the credentials for the replica dbs), that are created with a more secure r--------.

Example:

fnegri@tools-sgebastion-10:~$ become whopaintedthis
tools.whopaintedthis@tools-sgebastion-10:~$ cat replica.my.cnf > test_file
tools.whopaintedthis@tools-sgebastion-10:~$ ls -lh
[...]
-r-------- 1 tools.whopaintedthis tools.whopaintedthis   52 Aug 13  2022 replica.my.cnf
-rw-r--r-- 1 tools.whopaintedthis tools.whopaintedthis   52 May 20 17:22 test_file
[...]
fnegri@tools-sgebastion-10:~$ sudo become arturo-test-tool
tools.arturo-test-tool@tools-sgebastion-10:~$ cd /data/project/whopaintedthis/
tools.arturo-test-tool@tools-sgebastion-10:/data/project/whopaintedthis$ cat replica.my.cnf
cat: replica.my.cnf: Permission denied
tools.arturo-test-tool@tools-sgebastion-10:/data/project/whopaintedthis$ cat test_file
[the file content is displayed]

Related Objects

Event Timeline

fnegri created this task.May 20 2023, 6:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 20 2023, 6:20 PM
fnegri updated the task description. (Show Details)May 20 2023, 6:21 PM
fnegri added a subscriber: bd808.
bd808 added a comment.May 21 2023, 6:43 AM

The permissive mask is purposeful. We want most things to be readable by others normally.

taavi edited projects, added Security; removed WMF-NDA.May 21 2023, 9:29 AM
taavi changed the visibility from "Custom Policy" to "Custom Policy".
taavi changed the edit policy from "Custom Policy" to "Custom Policy".
fnegri added a comment.May 23 2023, 5:27 PM

Perhaps I was too fast in declaring the current umask "too open", and I see the point in having the greatest possible openness and transparency.

At the same time, personally I was surprised to find that I could read files from other tools. When I ran become mytool, I always naively assumed that I could safely store things in that directory that I wanted only the tool maintainers to see, so not just the source code but potentially also various kind of secrets.

If we want to keep the current umask, that's fine with me, but I would suggest we add a banner in the console (that could be shown after you ssh to the bastion, or after you run become mytool) to remember you that any file you create there will be readable by default by any other user of Toolforge. This help page also seems to suggest that only files in /data/project/shared are readable "by all Toolforge tools and users". I would clarify in the wiki that also applies to the files in /data/project/mytool.

Personally, I would be more comfortable with a model where only the tool maintainers can access the tool home directory, and there is a separate shared directory (or maybe Swift?) if you want to explicitly share something with other users. But it might just be that I'm used to interacting with commercial platforms where that is the default, so I very much welcome a conversation on the pros and cons of both approaches.

bd808 added a comment.May 24 2023, 2:36 PM

https://wikitech.wikimedia.org/wiki/Help:Toolforge/Quickstart#File_permissions

bd808 renamed this task from umask in Toolforge bastions is too open to umask in Toolforge bastions is more permissive than expected by some reviewers.May 24 2023, 3:00 PM
Legoktm added subscribers: LucasWerkmeister, Legoktm.May 31 2023, 7:02 AM

IMO the permissive umask is pretty important in supporting the right to fork in a soft manner and increases the sustainability of tools when more people can peek at them.

There are of course, plenty of people who miss this and end up leaving credentials world-readable (just look for the tens of security tasks filed by @LucasWerkmeister on this topic). But tools don't really have *that* sensitive data/credentials in the first place (and the few tools that do have pretty careful maintainers or are isolated through separate Cloud VPS projects) that in practice the current balance of openness at the cost of a little bit of security seems reasonable to me.

fnegri added a comment.May 31 2023, 9:06 AM

Thanks @bd808 and @Legoktm for giving me more context. Would you object to the addition of a message when running become mytool to remind users of the default settings? I added a possible draft below. If you think that is too intrusive, and I'm the only one who wants this, I'm happy to close this ticket as "Declined".

fnegri@tools-sgebastion-10:~$ become mytool
------------
You are now acting as "mytool". Remember that files you add to your home directory (/data/project/mytool)
by default can be read by any other Toolforge user. If you need to create a file containing sensitive
information (credentials, etc.) please read https://wikitech.wikimedia.org/wiki/Help:Toolforge/Quickstart#File_permissions
------------
tools.mytool@tools-sgebastion-10:~$
fnegri added a comment.May 31 2023, 9:20 AM

I have updated https://wikitech.wikimedia.org/wiki/Help:Toolforge/Developing_successful_tools#Sharing_files_via_NFS to clarify that files in /data/project/<tool> are readable by other tools, in a similar way to files placed in /data/project/shared.

fnegri updated the task description. (Show Details)May 31 2023, 9:49 AM
LucasWerkmeister added a comment.May 31 2023, 3:21 PM

I generally agree with @bd808 and @Legoktm that changing the umask would be overkill. Adding a message to become sounds like a good idea to me, especially for new users, though I expect more experienced users will eventually want a way to silence this warning, via an env var or ~/.config/become config file or whatever.

bd808 added a comment.May 31 2023, 5:30 PM

The current 022 default umask appears to be implemented in /etc/login.defs and unchanged from the upstream Debian default configuration. This means that it applies to all users, not just the tool account users that are switched to via our become script.

$ grep -i umask /etc/login.defs
#       UMASK           Default "umask" value.
# UMASK is the default umask value for pam_umask and is used by
# 022 is the "historical" value in Debian for UMASK
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
UMASK           022
# Other former uses of this variable such as setting the umask when

To me this makes a specific warning added to become feel like noise. Maybe adding something to the motd would be more reasonable if folks really do believe that a) this is worth an explicit warning and b) that anyone actually reads the motd or other login banners.

The permissions of a tool's home directory /data/project/<tool> are 755, so anyone can traverse it.

This is actually the bit that is most likely to be the "surprise" and not the umask value.

fnegri renamed this task from umask in Toolforge bastions is more permissive than expected by some reviewers to Files created in a tool's home directory can be read by other tools.May 31 2023, 5:47 PM
fnegri updated the task description. (Show Details)

This is actually the bit that is most likely to be the "surprise" and not the umask value.

I agree, the umask is not the surprising thing here. I have updated the title accordingly, feel free to rephrase further.

Legoktm added a comment.May 31 2023, 6:51 PM

While improving documentation is always great and appreciated, my hopefully not-too-cynical take is that any nagging in MOTD or prompts from become will just be ignored by most users. I'd rather see time/effort invested in proper secrets management, so we can guide people into systems that are properly set up to protect credentials, etc.

fnegri closed this task as Declined.Jun 7 2023, 2:01 PM

Given there is no clear consensus on whether MOTD-style messages can be useful or not, I'm closing this as Declined for now.

Support for storing secrets in Kubernetes secrets and exposing them as env variables is also coming very soon in T334578.

Thanks to everyone who participated in this conversation!

aborrero changed the visibility from "Custom Policy" to "All Users".Jul 18 2023, 10:11 AM
aborrero changed the visibility from "All Users" to "Public (No Login Required)".
aborrero mentioned this in T342089: Toolforge: Log files created by continuous jobs started with `toolforge-jobs` are readable by everyone.
bd808 mentioned this in T361426: Adoption request for Yapperbot .Mar 31 2024, 10:05 PM
Novem_Linguae subscribed.Mar 31 2024, 11:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits