Launchpadlib support in Ubuntu Developer Tools

Kees Cook kees at ubuntu.com
Wed Jan 14 19:18:35 GMT 2009


On Wed, Jan 14, 2009 at 10:58:58AM -0800, Kees Cook wrote:
> On Wed, Jan 14, 2009 at 02:54:11PM +0000, Jonathan Davies wrote:
> > I've improved the error message so that it asks people to see the
> > manage-credentials manpage.
> 
> Please make sure that the tool that creates the credentials stores them in
> a mode 0600 file.  The API examples[1] do not mention this, and I think
> it's an important bit of protection.
> 
> While playing with lplib for security team work, I took this a step
> further and even make the directory unreadable.  e.g.:

er, I missed a rather important last line.  Re-paste:

    cachedir = os.path.expanduser('~/.launchpadlib/cache')
    if not os.path.exists(cachedir):
        os.makedirs(cachedir,0700)

    credfile = os.path.expanduser('~/.launchpadlib/credentials')
    try:
        credentials = Credentials()
        credentials.load(open(credfile))
        launchpad = Launchpad(credentials, EDGE_SERVICE_ROOT, cachedir)
    except:
        launchpad = Launchpad.get_token_and_login(sys.argv[0], EDGE_SERVICE_ROOT, cachedir)
        launchpad.credentials.save(open(credfile,"w",0600))

-- 
Kees Cook
Ubuntu Security Team



More information about the ubuntu-devel mailing list