New submission from Vincent Danen <vda...@linsec.ca>: A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600.
Perhaps the file should be created (empty), chmod'd, and then written to or perhaps tempfile.mkstemp() could be used to create the file and then move it in-place. On systems where /home/user is 0700 by default this isn't a problem, but there is a race condition that could possibly (although the window would be small) to expose credentials in a home directory that is 0755, for instance. I searched and couldn't find a similar report here, so decided to make upstream aware of the bug reported to Debian. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555 https://bugzilla.redhat.com/show_bug.cgi?id=758905 ---------- assignee: tarek components: Distutils messages: 148697 nosy: Vincent.Danen, eric.araujo, tarek priority: normal severity: normal status: open title: ~/.pypirc created insecurely type: security versions: Python 2.7 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13512> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
