[New-bugs-announce] [issue13512] ~/.pypirc created insecurely
Vincent Danen
report at bugs.python.org
Thu Dec 1 00:23:23 CET 2011
New submission from Vincent Danen <vdanen at linsec.ca>:
A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600.
Perhaps the file should be created (empty), chmod'd, and then written to or perhaps tempfile.mkstemp() could be used to create the file and then move it in-place.
On systems where /home/user is 0700 by default this isn't a problem, but there is a race condition that could possibly (although the window would be small) to expose credentials in a home directory that is 0755, for instance.
I searched and couldn't find a similar report here, so decided to make upstream aware of the bug reported to Debian.
References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555
https://bugzilla.redhat.com/show_bug.cgi?id=758905
----------
assignee: tarek
components: Distutils
messages: 148697
nosy: Vincent.Danen, eric.araujo, tarek
priority: normal
severity: normal
status: open
title: ~/.pypirc created insecurely
type: security
versions: Python 2.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13512>
_______________________________________
More information about the New-bugs-announce
mailing list