Launchpadlib support in Ubuntu Developer Tools
Kees Cook
kees at ubuntu.com
Wed Jan 14 19:18:35 GMT 2009
On Wed, Jan 14, 2009 at 10:58:58AM -0800, Kees Cook wrote:
> On Wed, Jan 14, 2009 at 02:54:11PM +0000, Jonathan Davies wrote:
> > I've improved the error message so that it asks people to see the
> > manage-credentials manpage.
>
> Please make sure that the tool that creates the credentials stores them in
> a mode 0600 file. The API examples[1] do not mention this, and I think
> it's an important bit of protection.
>
> While playing with lplib for security team work, I took this a step
> further and even make the directory unreadable. e.g.:
er, I missed a rather important last line. Re-paste:
cachedir = os.path.expanduser('~/.launchpadlib/cache')
if not os.path.exists(cachedir):
os.makedirs(cachedir,0700)
credfile = os.path.expanduser('~/.launchpadlib/credentials')
try:
credentials = Credentials()
credentials.load(open(credfile))
launchpad = Launchpad(credentials, EDGE_SERVICE_ROOT, cachedir)
except:
launchpad = Launchpad.get_token_and_login(sys.argv[0], EDGE_SERVICE_ROOT, cachedir)
launchpad.credentials.save(open(credfile,"w",0600))
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list