libcloud-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Siim Põder (JIRA) <j...@apache.org>
Subject [jira] [Updated] (LIBCLOUD-718) gce_libcloud_auth credentials file world-readable
Date Sun, 28 Jun 2015 10:25:05 GMT

     [ https://issues.apache.org/jira/browse/LIBCLOUD-718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Siim Põder updated LIBCLOUD-718:
--------------------------------
          Flags: Patch
    Description: 
I noticed a suspicious-looking world-readable file on a VM that talks to Google Compute Engine
API via libcloud: 

{noformat}
-rw-r--r--  1 root root      164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
{noformat}

It contains a "Bearer" access token so presumably should not be readable by other users on
a shared system. I suspect this (untested) patch might maybe fix this in git head:

{noformat}
diff --git a/libcloud/common/google.py b/libcloud/common/google.py
index 694cf93..7a658c8 100644
--- a/libcloud/common/google.py
+++ b/libcloud/common/google.py
@@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey, PollingConnection):
         """
         filename = os.path.realpath(os.path.expanduser(self.credential_file))
         data = json.dumps(self.token_info)
-        with open(filename, 'w') as f:
+        with os.open(filename, os.O_WRONLY, 0o600) as f:
             f.write(data)
 
     def has_completed(self, response): 
{noformat}

  was:
I noticed a suspicious-looking world-readable file on a VM that talks to Google Compute Engine
API via libcloud: 

{noformat}
-rw-r--r--  1 root root      164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
{noformat}

It contains a "Bearer" access token so presumably should not be readable by other users on
a shared system. I suspect this (untested) patch might maybe fix this in git head:

{noformat}
diff --git a/libcloud/common/google.py b/libcloud/common/google.py
index 694cf93..7a658c8 100644
--- a/libcloud/common/google.py
+++ b/libcloud/common/google.py
@@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey, PollingConnection):
         """
         filename = os.path.realpath(os.path.expanduser(self.credential_file))
         data = json.dumps(self.token_info)
-        with open(filename, 'w') as f:
+        with os.open(filename, os.O_WRONLY, 0600) as f:
             f.write(data)
 
     def has_completed(self, response): 
{noformat}


> gce_libcloud_auth credentials file world-readable
> -------------------------------------------------
>
>                 Key: LIBCLOUD-718
>                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-718
>             Project: Libcloud
>          Issue Type: Bug
>          Components: Core
>            Reporter: Siim Põder
>
> I noticed a suspicious-looking world-readable file on a VM that talks to Google Compute
Engine API via libcloud: 
> {noformat}
> -rw-r--r--  1 root root      164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
> {noformat}
> It contains a "Bearer" access token so presumably should not be readable by other users
on a shared system. I suspect this (untested) patch might maybe fix this in git head:
> {noformat}
> diff --git a/libcloud/common/google.py b/libcloud/common/google.py
> index 694cf93..7a658c8 100644
> --- a/libcloud/common/google.py
> +++ b/libcloud/common/google.py
> @@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey, PollingConnection):
>          """
>          filename = os.path.realpath(os.path.expanduser(self.credential_file))
>          data = json.dumps(self.token_info)
> -        with open(filename, 'w') as f:
> +        with os.open(filename, os.O_WRONLY, 0o600) as f:
>              f.write(data)
>  
>      def has_completed(self, response): 
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message