[webkit-dev] rolling out a buggy security patch

Osztrogonác Csaba oszi at inf.u-szeged.hu
Tue Mar 12 03:06:46 PDT 2013

Maciej Stachowiak írta:

>> On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak <mjs at apple.com 
>> <mailto:mjs at apple.com>> wrote:
>>> The commit bot is not a person and therefore can't agree to the 
>>> security group policy, as required for security group membership.
>>> If a specific person or persons want to take responsibility for an 
>>> additional email account and bugzilla account having security access, 
>>> then that's not categorically excluded. But I'd like to understand 
>>> who currently has access to the commit bot's email account and 
>>> bugzilla account, what the policies are for more people getting 
>>> access, and whether there are indirect ways of getting access such as 
>>> by modifying the commit bot's code, or by uploading a patch that 
>>> tries to abuse the EWS testers. And I'd like to see at least one 
>>> person named to take responsibility for ensuring that the commit bot 
>>> is not used as a means of violating the policy.
> I am still curious who has access to the commit bot's bugzilla account. 
> Is a small set of known people, is it a large set, is the password 
> sitting around somewhere that others may get at it? I do not recall this 
> being answered at the time, or perhaps I have forgotten.
> If the set with access is a small set of known people who are willing to 
> be identified and be in the security group themselves (or already are), 
> then I am personally fine with it.
> Regards,
> Maciej

Technically we could make it possible to rollout security patches with
sheriffbot without security group membership. Now the problem is that
creating the rollout patch and bug report fails, because sheriffbot
can't handle that it can't comment and block the original bug report.
If it could it didn't need security group membership. Of course it
won't be able to comment and reopen the original bug, and make the
rollout bug block the original one. But it can be done easily by
the original author and the reviewer, because they still can be
cc-ed to the new bug. I think commit bots don't need security group
membership at all, because rollout bugs aren't security bugs in general.

And what about the EWS bots? What do you think if we make them be able
to build and test security patches too. Of course with take noticing
of security group policy. I have to agree with Maciej, the EWS bots
security status isn't the best now. Their BugZilla credentials are
stored in their ~/.gitconfig as plain text like this:
     username = <ews-bots-e-mail-address>
     password = <ews-bots-dummy-password>

Unfortunately there are many possibilities now to try to abuse
EWS bots as they build and test all patches they find in bugzilla.
We can do many restrictions to make them more secure, for example:
  - build and run test in sandbox
  - don't build and test patches modifies anything in Tools directory
    (EWS codebase, build-webkit, run-webkit-tests, ...)
    Or restrict it for contributors/committers/reviewers in committers.py
  - Restrict the set of people who knows the password of EWS bots.


More information about the webkit-dev mailing list