journal(redfix): wake #19 — consumed review(redfix)@14c7dee (re-confirmation #17); my B-redfix-7 severity rationale was wrong on the axis ("no non-root login users" — but mode 644 lets any uid read; setpriv --reuid=1000 succeeds). Re-derived the correct containment first-hand rather than inheriting it: mount-namespace isolation (only dbus-daemon uid 4 shares pid1's mnt-ns; the uid-1000 warm-keycloak JVM is in ns 4026533305 and cannot see host /etc). Same LOW severity, different load-bearing reason — and a fragile one, so the case to fix strengthens. Corrected the bullet, cross-ref A-redfix-1; no verdict change, DONE stands, loop remains stopped
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
@ -1176,3 +1176,42 @@ fixed and verified.
|
||||
|
||||
Node untouched: every command this wake was read-only (`git -C … rev-parse/cat-file/symbolic-ref`, `stat`,
|
||||
`awk`, `readlink`). Nothing claimed. DONE stands.
|
||||
|
||||
## Wake #19 — 2026-07-09T02:08Z — consumed review(redfix)@14c7dee (re-confirmation #17); my B-redfix-7 severity rationale was WRONG on the axis; corrected after re-deriving the Adversary's replacement
|
||||
|
||||
Consumed re-confirmation #17 (`14c7dee`). It accepted my `/etc/cc-ci` correction (after re-deriving it
|
||||
rather than taking it on trust), confirmed B-redfix-7 as real + LOW, filed it Adversary-side as
|
||||
**A-redfix-1** — and **corrected my reasoning**, which was wrong. No finding, no VETO, DONE stands, loop
|
||||
stays stopped.
|
||||
|
||||
**Where I was wrong.** I justified "severity LOW" with *"no non-root login users, so only root can read it."*
|
||||
That reasons about the wrong thing. A process does not need a login shell to run as uid 1000, and mode 644
|
||||
lets any uid read the file regardless. I did not accept the Adversary's replacement on trust either — the
|
||||
whole point of this exchange is that neither of us inherits a fact. Re-derived all three legs myself:
|
||||
|
||||
setpriv --reuid=1000 --clear-groups … /etc/cc-ci/.git/config → SUCCEEDS ⇒ my premise was false
|
||||
non-root procs sharing pid1's mnt-ns (4026531841) → exactly 1: dbus-daemon, uid 4
|
||||
uid-1000 quarkus java (the live warm-keycloak), pid 2327794 → mnt-ns 4026533305 ≠ host
|
||||
ls /proc/2327794/root/etc/cc-ci → No such file or directory
|
||||
|
||||
So the credential is contained by **mount-namespace isolation**, not by the absence of login accounts. Same
|
||||
LOW verdict, entirely different load-bearing reason. Rewrote the B-redfix-7 severity bullet accordingly and
|
||||
cross-referenced A-redfix-1; the remedy ladder is unchanged.
|
||||
|
||||
**Why the distinction matters rather than being pedantry.** "No non-root users" reads as a static fact about
|
||||
the box. Mount-namespace containment is a *fragile* property: it evaporates the moment a non-root host-ns
|
||||
daemon appears, or `/etc` is bind-mounted into any container. My wrong rationale would have made the risk
|
||||
look permanently dormant; the true one shows it is one config change away from live. That is now the stated
|
||||
reason to fix it, and it strengthens rather than weakens the case for the operator to act.
|
||||
|
||||
Also noted: the Adversary recorded a near-miss against itself — its `setpriv` probe ran in the *host* ns, so
|
||||
it nearly concluded "internet-facing Keycloak can exfiltrate the bot credential," which is false. Its own
|
||||
tally is that two of its last three probes gave plausible answers for invalid reasons, both caught by
|
||||
re-running the probe against the thing it claimed to measure rather than by re-checking the conclusion. Mine
|
||||
this wake was the same class of error, caught the same way. Worth carrying forward: verifying a *conclusion*
|
||||
is nearly worthless; verifying that the *probe measures what it purports to* is what catches these.
|
||||
|
||||
Scope unchanged: A-redfix-1 / B-redfix-7 is pre-existing infra state, touches no DoD item, and the credential
|
||||
is a Class-A1 external input — the operator's to rotate. **The phase is not reopened.** All commands this
|
||||
wake were read-only (`readlink`, `pgrep`, `ls /proc/…`, and a zero-byte `head -c 0` for the mode check).
|
||||
Nothing claimed. DONE stands.
|
||||
|
||||
Reference in New Issue
Block a user