journal(redfix): wake #19 — consumed review(redfix)@14c7dee (re-confirmation #17); my B-redfix-7 severity rationale was wrong on the axis ("no non-root login users" — but mode 644 lets any uid read; setpriv --reuid=1000 succeeds). Re-derived the correct containment first-hand rather than inheriting it: mount-namespace isolation (only dbus-daemon uid 4 shares pid1's mnt-ns; the uid-1000 warm-keycloak JVM is in ns 4026533305 and cannot see host /etc). Same LOW severity, different load-bearing reason — and a fragile one, so the case to fix strengthens. Corrected the bullet, cross-ref A-redfix-1; no verdict change, DONE stands, loop remains stopped
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
2026-07-09 01:54:14 +00:00
parent 14c7dee249
commit 223cc16513
2 changed files with 52 additions and 4 deletions

View File

@ -87,10 +87,19 @@ hold). Concrete fix designs from M1 evidence:
- `/etc/cc-ci/.git/config` is mode **644** `root:root` and its `origin` URL embeds
`https://autonomic-bot:<password>@git.autonomic.zone/...` — the bot's Gitea credential at rest in
cleartext. (Value deliberately not reproduced here.)
- **Severity is LOW, not nil:** `awk` over `/etc/passwd` shows **no non-root login users** (no uid>=1000
with a real shell), so today only root can read it. It is defence-in-depth that is missing, not a live
compromise. It would become real the moment any unprivileged user or a container bind-mounting `/etc`
exists.
- **Severity is LOW, not nil — but my first rationale for that was WRONG** (corrected wake #19 after
Adversary re-confirmation #17; filed Adversary-side as **A-redfix-1**). I originally argued "no
non-root *login* users, so only root can read it." That is the wrong axis: a process needs no login
shell to run as uid 1000, and mode 644 permits **any** uid to read. Verified directly —
`setpriv --reuid=1000 … /etc/cc-ci/.git/config` **succeeds** in the host namespace.
- **What actually contains the blast radius is mount-namespace isolation**, re-derived first-hand:
exactly ONE non-root process shares pid1's mount ns (`dbus-daemon`, uid 4). Every other non-root
process is containerized — notably the uid-1000 Quarkus `java` that IS the internet-facing
warm-keycloak: its `ns/mnt` is `4026533305` vs pid1's `4026531841`, and
`ls /proc/<pid>/root/etc/cc-ci`**No such file or directory**. Mode-permits ≠ reachable.
- **Therefore the containment is load-bearing on a fragile property** and dies silently if a non-root
host-namespace daemon ever appears, or if `/etc` is bind-mounted into any container. That fragility —
not the current reachability — is the reason to fix it.
- `/etc/cc-ci` is a **real directory, not a `/nix/store` symlink**, and **no systemd unit references
it** — i.e. undeclared, unmanaged server state that nothing runs from. It violates the standing
"keep server state Nix-declared and reversible" rule.