You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@libcloud.apache.org by "Siim Põder (JIRA)" <ji...@apache.org> on 2015/06/28 01:05:04 UTC
[jira] [Created] (LIBCLOUD-718) gce_libcloud_auth credentials file
world-readable
Siim Põder created LIBCLOUD-718:
-----------------------------------
Summary: gce_libcloud_auth credentials file world-readable
Key: LIBCLOUD-718
URL: https://issues.apache.org/jira/browse/LIBCLOUD-718
Project: Libcloud
Issue Type: Bug
Components: Core
Reporter: Siim Põder
I noticed a suspicious-looking world-readable file on a VM that talks to Google Compute Engine API via libcloud:
-rw-r--r-- 1 root root 164 Jun 27 21:21 .gce_libcloud_auth.wargame-engine
It contains a "Bearer" access token so presumably should not be readable by other users on a shared system. I suspect this (untested) patch might maybe fix this in git head:
diff --git a/libcloud/common/google.py b/libcloud/common/google.py
index 694cf93..7a658c8 100644
--- a/libcloud/common/google.py
+++ b/libcloud/common/google.py
@@ -715,7 +715,7 @@ class GoogleBaseConnection(ConnectionUserAndKey, PollingConnection):
"""
filename = os.path.realpath(os.path.expanduser(self.credential_file))
data = json.dumps(self.token_info)
- with open(filename, 'w') as f:
+ with os.open(filename, os.O_WRONLY, 0600) as f:
f.write(data)
def has_completed(self, response):
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)