[
https://issues.apache.org/jira/browse/LIBCLOUD-718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siim Põder updated LIBCLOUD-718:
--------------------------------
Flags: Patch
Description:
I noticed a suspicious-looking world-readable file on a VM that talks to Google
Compute Engine API via libcloud:
{noformat}
-rw-r--r-- 1 root root 164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
{noformat}
It contains a "Bearer" access token so presumably should not be readable by
other users on a shared system. I suspect this (untested) patch might maybe fix
this in git head:
{noformat}
diff --git a/libcloud/common/google.py b/libcloud/common/google.py
index 694cf93..7a658c8 100644
--- a/libcloud/common/google.py
+++ b/libcloud/common/google.py
@@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey,
PollingConnection):
"""
filename = os.path.realpath(os.path.expanduser(self.credential_file))
data = json.dumps(self.token_info)
- with open(filename, 'w') as f:
+ with os.open(filename, os.O_WRONLY, 0o600) as f:
f.write(data)
def has_completed(self, response):
{noformat}
was:
I noticed a suspicious-looking world-readable file on a VM that talks to Google
Compute Engine API via libcloud:
{noformat}
-rw-r--r-- 1 root root 164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
{noformat}
It contains a "Bearer" access token so presumably should not be readable by
other users on a shared system. I suspect this (untested) patch might maybe fix
this in git head:
{noformat}
diff --git a/libcloud/common/google.py b/libcloud/common/google.py
index 694cf93..7a658c8 100644
--- a/libcloud/common/google.py
+++ b/libcloud/common/google.py
@@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey,
PollingConnection):
"""
filename = os.path.realpath(os.path.expanduser(self.credential_file))
data = json.dumps(self.token_info)
- with open(filename, 'w') as f:
+ with os.open(filename, os.O_WRONLY, 0600) as f:
f.write(data)
def has_completed(self, response):
{noformat}
> gce_libcloud_auth credentials file world-readable
> -------------------------------------------------
>
> Key: LIBCLOUD-718
> URL: https://issues.apache.org/jira/browse/LIBCLOUD-718
> Project: Libcloud
> Issue Type: Bug
> Components: Core
> Reporter: Siim Põder
>
> I noticed a suspicious-looking world-readable file on a VM that talks to
> Google Compute Engine API via libcloud:
> {noformat}
> -rw-r--r-- 1 root root 164 Jun 27 21:21
> .gce_libcloud_auth.wargame-engine
> {noformat}
> It contains a "Bearer" access token so presumably should not be readable by
> other users on a shared system. I suspect this (untested) patch might maybe
> fix this in git head:
> {noformat}
> diff --git a/libcloud/common/google.py b/libcloud/common/google.py
> index 694cf93..7a658c8 100644
> --- a/libcloud/common/google.py
> +++ b/libcloud/common/google.py
> @@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey,
> PollingConnection):
> """
> filename = os.path.realpath(os.path.expanduser(self.credential_file))
> data = json.dumps(self.token_info)
> - with open(filename, 'w') as f:
> + with os.open(filename, os.O_WRONLY, 0o600) as f:
> f.write(data)
>
> def has_completed(self, response):
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
