[LIBCLOUD-718] gce_libcloud_auth credentials file world-readable - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Core
Labels:
None

Flags:

Patch

Description

I noticed a suspicious-looking world-readable file on a VM that talks to Google Compute Engine API via libcloud:

-rw-r--r--  1 root root      164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine

It contains a "Bearer" access token so presumably should not be readable by other users on a shared system. I suspect this (untested) patch might maybe fix this in git head:

diff --git a/libcloud/common/google.py b/libcloud/common/google.py
index 694cf93..7a658c8 100644
--- a/libcloud/common/google.py
+++ b/libcloud/common/google.py
@@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey, PollingConnection):
         """
         filename = os.path.realpath(os.path.expanduser(self.credential_file))
         data = json.dumps(self.token_info)
-        with open(filename, 'w') as f:
+        with os.open(filename, os.O_WRONLY, 0o600) as f:
             f.write(data)
 
     def has_completed(self, response):

Attachments

Activity

People

Assignee:: Eric Johnson

Reporter:: Siim Põder

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27/Jun/15 23:04

Updated:: 18/Dec/15 23:46

Resolved:: 18/Dec/15 23:46