Barry A. Warsaw added the comment:
FWIW, the Ubuntu manpage netrc(5) says:
password string
Supply a password. If this token is present, the auto-login
process will supply the specified string if the remote server
requires a password as part of the login process. Note that
if this token is present in the .netrc file for any user other
than anonymous, ftp will abort the auto-login process if the
.netrc is readable by anyone besides the user.
On Ubuntu, /usr/bin/ftp comes from the netkit-ftp package, which has this code
in ruserpass.c:
case PASSWD:
if (*aname==NULL) {
fprintf(stderr, "Error: `password' must follow `login' in .netrc\n");
goto bad;
}
if (strcmp(*aname, "anonymous") &&
fstat(fileno(cfile), &stb) >= 0 &&
(stb.st_mode & 077) != 0) {
fprintf(stderr, "Error - .netrc file not correct permissions.\n");
fprintf(stderr, "Remove password or correct mode (should be 600).\n");
goto bad;
So it looks like it's only doing a permission check too, and then only if it
sees `password`. (FWIW, it does the same check, sans the "anonymous" check
obviously, for `account`.)
Seems to me like only doing the permission check is sufficient, and in line
with existing tools and documentation. (Though technically, I suppose if you
chowned ~/.netrc to someone other than yourself, it would be "readable by
anyone besides the user".)
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue14984>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
