|
| 1 | +# Threat model |
| 2 | +This document describes the threat model of this repository. |
| 3 | + |
| 4 | +The `team` repository manages various sensitive permissions: |
| 5 | +- It provides access to GitHub users to rust-lang (and other organization's) repositories. |
| 6 | + - This includes `admin` access, which can be quite destructive. |
| 7 | +- It provides access to private Zulip streams. |
| 8 | +- It subscribes users to mailing lists. |
| 9 | + |
| 10 | +## User categories |
| 11 | +There are three groups of users that come into play here: |
| 12 | +- Infra *admins*. This is a small group of users that essentially have all the permissions. |
| 13 | +- Team repo *maintainers*. This is a larger set of users with `write` access to this repository, which can include e.g. team leads. |
| 14 | +- *Unprivileged* users, which is everyone else. This includes people that send PRs to this repository. |
| 15 | + |
| 16 | +On the one hand, we want to give access to team leads to merge "benign" changes, such as membership changes in teams without elevated privileges or modifications to the description or homepage URL of repositories. On the other hand, we must make sure that the maintainers cannot make more dangerous changes, such as giving access to CI tokens (more on that below). Otherwise, their accounts could become a target for attackers. |
| 17 | + |
| 18 | +## What we need to avoid |
| 19 | +After a `team` PR is approved, it is put into a merge queue, which uses a GitHub environment to access secret tokens that can do pretty much anything across the rust-lang enterprise. These secrets are then used to sync changes to GitHub/Zulip/Mailgun, based on the changes made in the PR. |
| 20 | + |
| 21 | +There are two categories of "attacks" that we would like to prevent. |
| 22 | + |
| 23 | +### Elevation of privileges |
| 24 | +The first category is "elevation of privileges", which could be done by affecting code that gets executed on CI. In general, we need to ensure that except for the *admins*, no one (not even the maintainers) will be able to: |
| 25 | + |
| 26 | +1) Access the secret tokens |
| 27 | +2) Modify code that runs on CI (as that can read the token) |
| 28 | +3) Merge changes to code or CI |
| 29 | +4) Give themselves elevated privileges by changing the TOML data files |
| 30 | + |
| 31 | +As this would give the attacker almost unrestricted access to anything in the rust-lang enterprise. |
| 32 | + |
| 33 | +To give a few more specific examples, here is a non-exhaustive list of scenarios that must not be possible for anyone else other than the admins: |
| 34 | +- Modifying the TOML file of an infra-admin, changing GitHub ID to a different one to add their account to the infra-admins team. |
| 35 | +- Changing the access permissions of the `team` repository itself. |
| 36 | +- Changing the code of `sync-team` or `team` to give themselves special permissions. |
| 37 | +- Changing the code of CI workflows. |
| 38 | +- Adding or modifying a file that affects what gets executed on CI. For example `.cargo/config.toml` (affects Cargo) or `rust-toolchain.toml` file (affects Rustup). |
| 39 | + |
| 40 | +### Content attacks |
| 41 | +The second category is "content attacks", which can be done without changing code, only by modifying the TOML data files. This kind of attack could be performed by a maintainer, unless we explicitly protect against it. |
| 42 | + |
| 43 | +For example, a content attack done by a *maintainer* account could be: |
| 44 | +- Changing the homepage of a repository to point to a malware/scam website. |
| 45 | +- Giving themselves `admin` permissions on a repository and then renaming it or moving it out of the organization. |
| 46 | +- Giving themselves access to a repository or a team that they should not have access to (e.g. a survey team lead maintainer gives themselves access to the `lang` team). |
| 47 | +- Removing access of someone else from a repository, barring them from contributing to it. |
| 48 | + |
| 49 | +## How to prevent attacks |
| 50 | +We plan to mitigate "elevation of privileges" attacks with [CODEOWNERS](../.github/CODEOWNERS) and "content attacks" with custom checks. |
| 51 | + |
| 52 | +The `CODEOWNERS` file gives maintainers rights to merge changes to TOML data files in the `people`, `repos` and `teams` repositories, excluding a handful of sensitive files (permissions to the `team` and `sync-team` repositories and definition of teams and users of the admins and maintainers themselves). All other changes have to be approved by at least one admin. |
| 53 | + |
| 54 | +To protect against "content attacks", we should further implement CI checks that will check that changes to the TOML files did not result in suspicious activity. |
0 commit comments