Launchpadlib support in Ubuntu Developer Tools

Kees Cook kees at ubuntu.com
Wed Jan 14 18:58:58 GMT 2009


On Wed, Jan 14, 2009 at 02:54:11PM +0000, Jonathan Davies wrote:
> I've improved the error message so that it asks people to see the
> manage-credentials manpage.

Please make sure that the tool that creates the credentials stores them in
a mode 0600 file.  The API examples[1] do not mention this, and I think
it's an important bit of protection.

While playing with lplib for security team work, I took this a step
further and even make the directory unreadable.  e.g.:

    cachedir = os.path.expanduser('~/.launchpadlib/cache')
    if not os.path.exists(cachedir):
        os.makedirs(cachedir,0700)

    credfile = os.path.expanduser('~/.launchpadlib/credentials')
    try:
        credentials = Credentials()
        credentials.load(open(credfile))
        launchpad = Launchpad(credentials, EDGE_SERVICE_ROOT, cachedir)
    except:
        launchpad = Launchpad.get_token_and_login(sys.argv[0], EDGE_SERVICE_ROOT, cachedir)


-Kees

[1] https://help.launchpad.net/API/launchpadlib

-- 
Kees Cook
Ubuntu Security Team



More information about the ubuntu-devel mailing list