Uploaded image for project: 'Libcloud'
  1. Libcloud
  2. LIBCLOUD-718

gce_libcloud_auth credentials file world-readable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
      None
    • Flags:
      Patch

      Description

      I noticed a suspicious-looking world-readable file on a VM that talks to Google Compute Engine API via libcloud:

      -rw-r--r--  1 root root      164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
      

      It contains a "Bearer" access token so presumably should not be readable by other users on a shared system. I suspect this (untested) patch might maybe fix this in git head:

      diff --git a/libcloud/common/google.py b/libcloud/common/google.py
      index 694cf93..7a658c8 100644
      --- a/libcloud/common/google.py
      +++ b/libcloud/common/google.py
      @@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey, PollingConnection):
               """
               filename = os.path.realpath(os.path.expanduser(self.credential_file))
               data = json.dumps(self.token_info)
      -        with open(filename, 'w') as f:
      +        with os.open(filename, os.O_WRONLY, 0o600) as f:
                   f.write(data)
       
           def has_completed(self, response): 
      

        Activity

        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 59fec8e7a203ce95bca7a8b6c5c1744f4f718527 in libcloud's branch refs/heads/trunk from Eric Johnson
        [ https://git-wip-us.apache.org/repos/asf?p=libcloud.git;h=59fec8e ]

        [google] Minor security improvement for storing cached GCE credentials

        Closes LIBCLOUD-718

        Show
        jira-bot ASF subversion and git services added a comment - Commit 59fec8e7a203ce95bca7a8b6c5c1744f4f718527 in libcloud's branch refs/heads/trunk from Eric Johnson [ https://git-wip-us.apache.org/repos/asf?p=libcloud.git;h=59fec8e ] [google] Minor security improvement for storing cached GCE credentials Closes LIBCLOUD-718

          People

          • Assignee:
            erjohnso Eric Johnson
            Reporter:
            siimphh Siim Põder
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development