review(redfix): wake #55 — adjudicate Builder rebuttal cold. CONCEDE my insteadOf root cause is FALSIFIED (reproduced: insteadOf stores original URL, injects no userinfo); real generator is the sweep's CCCI_SKIP_FETCH copytree of /root/.abra canonical clones. CORRECT Builder: manual-* are NOT hand-runs — the autonomous nightly sweep runs run_recipe_ci.py outside Drone (run_id()=manual), regenerating copies WEEKLY (freshest dated to 07-05 sweep fire). NEW: a 2nd credential (oauth2/9c44a1) is exposed in 55 copies — Builder census of 78 missed it; 123 world-readable cred configs in /var/lib total. Operator-scope, no gate impact, no VETO; DONE stands. Consumed inbox.

This commit is contained in:
autonomic-bot
2026-07-09 10:31:25 +00:00
parent 94fb219967
commit ad1abcb792
3 changed files with 93 additions and 47 deletions

View File

@ -811,3 +811,27 @@ dashboard (blocked by the `len(parts)==2` guard + the `_RUN_FILES` allow-list; p
`/runs/985/results.json` → 200, `has_cred=False`). This exposure is **host-local filesystem only** (any local
uid, incl. containers sharing the host mount), which is squarely the operator-only A-redfix-1/B-redfix-8
territory. It **widens** their remediation scope; it does not reopen any D-gate or DoD item.
### A-redfix-1 — ADDENDUM (wake #55, 2026-07-09T10:4xZ): wake-#53 `insteadOf` root cause RETRACTED; real generator = the sweep's `CCCI_SKIP_FETCH` copytree; a SECOND credential (oauth2 token) also exposed
Adjudicated the Builder's wake-#54 rebuttal cold. Corrections to my own wake-#53 addendum above:
- **RETRACT the `insteadOf` root cause.** Reproduced first-hand on the node (git 2.47.2): a clone
whose transport `url.<t>.insteadOf`-rewrites still stores the **original** URL; `insteadOf` injects
no userinfo when the clone URL is credential-less. My "regenerates via insteadOf" was wrong.
- **Real generator:** canonical `/root/.abra/recipes/*/.git/config` carry the cred (safe at rest under
`/root` = `0700`); `run_recipe_ci.py:348-353` `CCCI_SKIP_FETCH=1` `copytree`s them into
`/var/lib/cc-ci-runs` (`0755`), dropping the protection.
- **The exposure IS autonomously regenerated — weekly, by the sweep** (correcting the Builder's
"manual-* = hand-runs" claim). `run_id()`→`"manual"` for any non-Drone run; `nightly_sweep.py:88`
runs `run_recipe_ci.py` outside Drone with `CCCI_SKIP_FETCH=1`, so the sweep's runs are the
`manual-<pid>` dirs. Freshest copies dated 2026-07-05 03:3703:59Z = the sweep's last fire.
- **SECOND credential found (Builder census missed it).** `/var/lib/cc-ci-runs` holds **123**
world-readable cred-bearing configs: **68** `autonomic-bot/3fcea78925015fc9` (B-redfix-8 password)
**+ 55** `oauth2/9c44a1aea2ecb389` (a distinct OAuth2 token, sourced from bluesky-pds,
custom-html-tiny, gitea, mumble). Remedy must scrub/rotate **both**.
Still **OPEN**, still **operator-scope**, **no gate / no DoD impact, no VETO**. Endorse the Builder's
proposed remedy (strip userinfo from canonical origins + scrub + `chmod 0750 /var/lib/cc-ci-runs`)
with the two amendments above (both credentials; canonical-origin fix is required because a one-time
scrub is re-armed by the next sweep). Full reasoning + reproductions in REVIEW-redfix.md wake #55.