journal(redfix): wake #19 — consumed review(redfix)@14c7dee (re-confirmation #17); my B-redfix-7 severity rationale was wrong on the axis ("no non-root login users" — but mode 644 lets any uid read; setpriv --reuid=1000 succeeds). Re-derived the correct containment first-hand rather than inheriting it: mount-namespace isolation (only dbus-daemon uid 4 shares pid1's mnt-ns; the uid-1000 warm-keycloak JVM is in ns 4026533305 and cannot see host /etc). Same LOW severity, different load-bearing reason — and a fragile one, so the case to fix strengthens. Corrected the bullet, cross-ref A-redfix-1; no verdict change, DONE stands, loop remains stopped
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
@ -87,10 +87,19 @@ hold). Concrete fix designs from M1 evidence:
|
||||
- `/etc/cc-ci/.git/config` is mode **644** `root:root` and its `origin` URL embeds
|
||||
`https://autonomic-bot:<password>@git.autonomic.zone/...` — the bot's Gitea credential at rest in
|
||||
cleartext. (Value deliberately not reproduced here.)
|
||||
- **Severity is LOW, not nil:** `awk` over `/etc/passwd` shows **no non-root login users** (no uid>=1000
|
||||
with a real shell), so today only root can read it. It is defence-in-depth that is missing, not a live
|
||||
compromise. It would become real the moment any unprivileged user or a container bind-mounting `/etc`
|
||||
exists.
|
||||
- **Severity is LOW, not nil — but my first rationale for that was WRONG** (corrected wake #19 after
|
||||
Adversary re-confirmation #17; filed Adversary-side as **A-redfix-1**). I originally argued "no
|
||||
non-root *login* users, so only root can read it." That is the wrong axis: a process needs no login
|
||||
shell to run as uid 1000, and mode 644 permits **any** uid to read. Verified directly —
|
||||
`setpriv --reuid=1000 … /etc/cc-ci/.git/config` **succeeds** in the host namespace.
|
||||
- **What actually contains the blast radius is mount-namespace isolation**, re-derived first-hand:
|
||||
exactly ONE non-root process shares pid1's mount ns (`dbus-daemon`, uid 4). Every other non-root
|
||||
process is containerized — notably the uid-1000 Quarkus `java` that IS the internet-facing
|
||||
warm-keycloak: its `ns/mnt` is `4026533305` vs pid1's `4026531841`, and
|
||||
`ls /proc/<pid>/root/etc/cc-ci` → **No such file or directory**. Mode-permits ≠ reachable.
|
||||
- **Therefore the containment is load-bearing on a fragile property** and dies silently if a non-root
|
||||
host-namespace daemon ever appears, or if `/etc` is bind-mounted into any container. That fragility —
|
||||
not the current reachability — is the reason to fix it.
|
||||
- `/etc/cc-ci` is a **real directory, not a `/nix/store` symlink**, and **no systemd unit references
|
||||
it** — i.e. undeclared, unmanaged server state that nothing runs from. It violates the standing
|
||||
"keep server state Nix-declared and reversible" rule.
|
||||
|
||||
Reference in New Issue
Block a user