Page MenuHomePhabricator
Create Task
Maniphest T342089

Toolforge: Log files created by continuous jobs started with `toolforge-jobs` are readable by everyone
Closed, InvalidPublicSecurity
Actions

Description

I don't know for sure that this is a security issue or how sever it is in that case, but I'm rather safe than sorry. As I've understood it you never really want log files publicly readable.

Steps to reproduce

  1. SSH to Toolforge and become a tool.
  2. Start a continuous job. I followed wt:Help:Toolforge/Redis_for_Toolforge#Celery, but changed the command: toolforge-jobs run --continuous --image python3.9 --command "date; sleep 10" job-test.
  3. Check permissions of the log files: ls -l ~/job-test.*.

Expected result

Log files are not readable by others.

Actual result

Log files are readable by everyone. Output from ls above is:

-rw-r--r-- 1 tools.isa-dev tools.isa-dev  0 jul 18 09:22 /data/project/isa-dev/job-test.err
-rw-r--r-- 1 tools.isa-dev tools.isa-dev 96 jul 18 09:22 /data/project/isa-dev/job-test.out

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits