[New-bugs-announce] [issue13512] ~/.pypirc created insecurely

Vincent Danen report at bugs.python.org
Thu Dec 1 00:23:23 CET 2011

New submission from Vincent Danen <vdanen at linsec.ca>:

A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600.

Perhaps the file should be created (empty), chmod'd, and then written to or perhaps tempfile.mkstemp() could be used to create the file and then move it in-place.

On systems where /home/user is 0700 by default this isn't a problem, but there is a race condition that could possibly (although the window would be small) to expose credentials in a home directory that is 0755, for instance.

I searched and couldn't find a similar report here, so decided to make upstream aware of the bug reported to Debian.



assignee: tarek
components: Distutils
messages: 148697
nosy: Vincent.Danen, eric.araujo, tarek
priority: normal
severity: normal
status: open
title: ~/.pypirc created insecurely
type: security
versions: Python 2.7

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list