classification
Title: netrc module validates file mode only for /home/user/.netrc
Type: security Stage:
Components: Library (Lib) Versions: Python 3.8, Python 3.7, Python 3.6, Python 3.5, Python 3.4
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: akoeltringer
Priority: normal Keywords:

Created on 2018-03-12 21:05 by akoeltringer, last changed 2018-03-12 21:05 by akoeltringer.

Messages (1)
msg313701 - (view) Author: Andreas Költringer (akoeltringer) Date: 2018-03-12 21:05
On my first try to use the netrc module I got back the error: 

    "~/.netrc access too permissive: access permissions must restrict access to only the owner"

I changed the file permissions and wrapped this up in try-except and went on to write some unit tests (using tempfile), assuming that the file mode checks would be performed on any netrc file I passed into the constructor (yes, I did not read the documentation sufficiently well).

Anyway, I believe that these security checks should be done for any netrc file (they contain sensitive information no matter where they are located on the file system). There was already a discussion on the topic

    https://bugs.python.org/issue14984

where there was concern regarding backwards-compatibility and the idea to re-visit this issue "in the future". That was in 2013, so maybe this "future" is now?
History
Date User Action Args
2018-03-12 21:05:31akoeltringercreate