Uploaded image for project: 'Libcloud'
  1. Libcloud
  2. LIBCLOUD-718

gce_libcloud_auth credentials file world-readable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • None
    • Core
    • None
    • Patch

    Description

      I noticed a suspicious-looking world-readable file on a VM that talks to Google Compute Engine API via libcloud:

      -rw-r--r--  1 root root      164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
      

      It contains a "Bearer" access token so presumably should not be readable by other users on a shared system. I suspect this (untested) patch might maybe fix this in git head:

      diff --git a/libcloud/common/google.py b/libcloud/common/google.py
      index 694cf93..7a658c8 100644
      --- a/libcloud/common/google.py
      +++ b/libcloud/common/google.py
      @@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey, PollingConnection):
               """
               filename = os.path.realpath(os.path.expanduser(self.credential_file))
               data = json.dumps(self.token_info)
      -        with open(filename, 'w') as f:
      +        with os.open(filename, os.O_WRONLY, 0o600) as f:
                   f.write(data)
       
           def has_completed(self, response): 
      

      Attachments

        Activity

          People

            erjohnso Eric Johnson
            siimphh Siim Põder
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment