This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Vincent.Danen
Recipients Vincent.Danen, eric.araujo, tarek
Date 2011-11-30.23:23:22
SpamBayes Score 5.9877416e-06
Marked as misclassified No
Message-id <1322695403.24.0.389183798564.issue13512@psf.upfronthosting.co.za>
In-reply-to
Content 
A bug was reported in python's distutils in that ~/.pypirc was created insecurely by first creating and writing user/password information to the file, then chmod'ing it to 0600.

Perhaps the file should be created (empty), chmod'd, and then written to or perhaps tempfile.mkstemp() could be used to create the file and then move it in-place.

On systems where /home/user is 0700 by default this isn't a problem, but there is a race condition that could possibly (although the window would be small) to expose credentials in a home directory that is 0755, for instance.

I searched and couldn't find a similar report here, so decided to make upstream aware of the bug reported to Debian.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555
https://bugzilla.redhat.com/show_bug.cgi?id=758905
History
Date User Action Args
2011-11-30 23:23:23Vincent.Danensetrecipients: + Vincent.Danen, tarek, eric.araujo
2011-11-30 23:23:23Vincent.Danensetmessageid: <1322695403.24.0.389183798564.issue13512@psf.upfronthosting.co.za>
2011-11-30 23:23:22Vincent.Danenlinkissue13512 messages
2011-11-30 23:23:22Vincent.Danencreate