Uploaded image for project: 'Libcloud'
  1. Libcloud
  2. LIBCLOUD-718

gce_libcloud_auth credentials file world-readable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
      None
    • Flags:
      Patch

      Description

      I noticed a suspicious-looking world-readable file on a VM that talks to Google Compute Engine API via libcloud:

      -rw-r--r--  1 root root      164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
      

      It contains a "Bearer" access token so presumably should not be readable by other users on a shared system. I suspect this (untested) patch might maybe fix this in git head:

      diff --git a/libcloud/common/google.py b/libcloud/common/google.py
      index 694cf93..7a658c8 100644
      --- a/libcloud/common/google.py
      +++ b/libcloud/common/google.py
      @@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey, PollingConnection):
               """
               filename = os.path.realpath(os.path.expanduser(self.credential_file))
               data = json.dumps(self.token_info)
      -        with open(filename, 'w') as f:
      +        with os.open(filename, os.O_WRONLY, 0o600) as f:
                   f.write(data)
       
           def has_completed(self, response): 
      

        Attachments

          Activity

            People

            • Assignee:
              erjohnso Eric Johnson
              Reporter:
              siimphh Siim Põder
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: