Today I talked with [ACooper](https://office.wikimedia.org/wiki/User:ACooper-WMF) about a potential security risk in Toolforge, and I did some investigation with @aborrero.
The umask in Toolforge bastions is `022`, which means any new file that you create as a tool user (after running `become $toolname`) have `rw-r--r--` permissions. These files can be read by any other tool account, which maybe is required by some use cases but does not seem a sensible default.
This does not affect the files created automatically by `maintain-dbusers` (like `replica.my.cnf` containing the credentials for the replica dbs), that are created with a more secure `r--------`.
Example:
```
fnegri@tools-sgebastion-10:~$ become whopaintedthis
tools.whopaintedthis@tools-sgebastion-10:~$ cat replica.my.cnf > test_file
tools.whopaintedthis@tools-sgebastion-10:~$ ls -lh
[...]
-r-------- 1 tools.whopaintedthis tools.whopaintedthis 52 Aug 13 2022 replica.my.cnf
-rw-r--r-- 1 tools.whopaintedthis tools.whopaintedthis 163 Aug 13 2022 service.manifest
-rw-r--r-- 1 tools.whopaintedthis tools.whopaintedthis 52 May 20 17:22 test_file
[...]
fnegri@tools-sgebastion-10:~$ sudo become arturo-test-tool
tools.arturo-test-tool@tools-sgebastion-10:~$ cd /data/project/whopaintedthis/
tools.arturo-test-tool@tools-sgebastion-10:/data/project/whopaintedthis$ cat replica.my.cnf
cat: replica.my.cnf: Permission denied
tools.arturo-test-tool@tools-sgebastion-10:/data/project/whopaintedthis$ cat test_file
[the file content is displayed]
```