On Wed, Jan 14, 2009 at 11:18:35AM -0800, Kees Cook wrote:
> On Wed, Jan 14, 2009 at 10:58:58AM -0800, Kees Cook wrote:
> > Please make sure that the tool that creates the credentials stores them in
> > a mode 0600 file. The API examples[1] do not mention this, and I think
> > it's an important bit of protection.
> >
> > While playing with lplib for security team work, I took this a step
> > further and even make the directory unreadable. e.g.:
>
> er, I missed a rather important last line. Re-paste:
>
> cachedir = os.path.expanduser('~/.launchpadlib/cache')
> if not os.path.exists(cachedir):
> os.makedirs(cachedir,0700)
>
> credfile = os.path.expanduser('~/.launchpadlib/credentials')
> try:
> credentials = Credentials()
> credentials.load(open(credfile))
> launchpad = Launchpad(credentials, EDGE_SERVICE_ROOT, cachedir)
> except:
> launchpad = Launchpad.get_token_and_login(sys.argv[0], EDGE_SERVICE_ROOT, cachedir)
> launchpad.credentials.save(open(credfile,"w",0600))
Isn't the third argument to Python's open() the buffer size, not the
file mode? That's what the documentation says, anyway.
$ python -c 'open("pyopentest", "w", 0600).close()'; ls -l pyopentest
-rw-r--r-- 1 cjwatson cjwatson 0 2009-01-15 00:19 pyopentest
I think you need:
launchpad = Launchpad.get_token_and_login(sys.argv[0], EDGE_SERVICE_ROOT, cachedir)
credfd = open(credfile, "w")
os.chmod(credfile, 0600)
launchpad.credentials.save(credfd)
credfd.close()
Python didn't have fchmod until 2.6 so this is a little awkward, but it
does the job.
(Thanks for the note about making the file non-world-readable, though;
I'd forgotten it entirely in a launchpadlib application I maintain.
Fixed.)
--
Colin Watson [cjwatson at ubuntu.com]