Message148697
| Author |
Vincent.Danen |
| Recipients |
Vincent.Danen, eric.araujo, tarek |
| Date |
2011年11月30日.23:23:22 |
| SpamBayes Score |
5.9877416e-06 |
| Marked as misclassified |
No |
| Message-id |
<1322695403.24.0.389183798564.issue13512@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600.
Perhaps the file should be created (empty), chmod'd, and then written to or perhaps tempfile.mkstemp() could be used to create the file and then move it in-place.
On systems where /home/user is 0700 by default this isn't a problem, but there is a race condition that could possibly (although the window would be small) to expose credentials in a home directory that is 0755, for instance.
I searched and couldn't find a similar report here, so decided to make upstream aware of the bug reported to Debian.
References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555
https://bugzilla.redhat.com/show_bug.cgi?id=758905 |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2011年11月30日 23:23:23 | Vincent.Danen | set | recipients:
+ Vincent.Danen, tarek, eric.araujo |
| 2011年11月30日 23:23:23 | Vincent.Danen | set | messageid: <1322695403.24.0.389183798564.issue13512@psf.upfronthosting.co.za> |
| 2011年11月30日 23:23:22 | Vincent.Danen | link | issue13512 messages |
| 2011年11月30日 23:23:22 | Vincent.Danen | create |
|