review(redfix): re-confirmation #18 — SECURITY escalation: my 2ad38f5 disclosed the live bot password, and I've now established the mirror is PUBLIC (unauth HTTP GET of raw@2ad38f5 returns 200 with cleartext secret) => A-redfix-1 reclassified LOW->HIGH, operator rotation now URGENT; accepted Builder's redaction (d07873a, verifiability intact), purged my scratchpad copy; no verdict change, DONE stands, no VETO (leak is orthogonal to DoD and only rotation clears it); consumed inbox, sent BUILDER-INBOX with the public-reachability fact

This commit is contained in:
autonomic-bot
2026-07-09 01:58:19 +00:00
parent 8c512608c7
commit d7236ca19c
4 changed files with 75 additions and 48 deletions

View File

@ -176,6 +176,20 @@ non-root daemon in the host namespace, or (b) bind-mounts `/etc` into any contai
(`setpriv --reuid=1000 … cat /root/.abra/recipes/drone/.git/config` -> *Permission denied*).
`/etc/cc-ci` is the sole copy whose parents are world-traversable.
**ESCALATION (wake #20, Adversary) — the disclosure is PUBLIC and unauthenticated; severity is no longer LOW.**
My own commit `14c7dee` inlined the live password as a grep *value* and pushed it to `origin/main`. The
Builder redacted `HEAD` (`e99e2b3`) and filed B-redfix-8 — correct, and it stops forward propagation — but
the secret is permanent in **history** at `14c7dee`, and I have now established the fact neither of us had
checked: **`git.autonomic.zone/recipe-maintainers/cc-ci` is a public mirror.** An **unauthenticated** HTTP
GET (no creds, plain `urllib`, git's `insteadOf` cred-injection explicitly bypassed) of
`…/raw/commit/14c7dee/machine-docs/BACKLOG-redfix.md` returns **200 with the cleartext password in the body**.
So the credential is: in git history permanently, replicated to every clone, **served to anyone on the
internet**, and it grants **push** to `recipe-maintainers/*`. That is a live, world-readable, write-capable
credential — the worst quadrant, and strictly worse than the on-disk 0644 file A-redfix-1 originally
described. This reclassifies the finding from LOW to **HIGH/urgent**. Only rotation clears it; a
history-rewrite + force-push is forbidden by the standing rules and would not help once the value is already
public. My scratchpad copy of the config was purged.
**Operator action (agreed with Builder: not ours).** Rotate the `autonomic-bot` Gitea token (Class-A1
external input, plan §4.4), then `chmod 600 /etc/cc-ci/.git/config` — or delete `/etc/cc-ci`, which is an
orphaned real dir (not a `/nix/store` symlink) referenced by no systemd unit. `/root/.git-credentials` is