Security: Require config file to be mode 0600

Require the config file to have a permission of 0600 if it contains a password. This way it is only readable/writeable by the user Change-Id: I0c38a3c41125422b981ed3f799870906a0700180
2015-02-20 10:47:36 -08:00 · 2015-02-20 10:47:36 -08:00 · 93052d1c68
commit 93052d1c68
parent 14d7aee065
1 changed files with 11 additions and 0 deletions
--- a/gertty/config.py
+++ b/gertty/config.py
@ -137,6 +137,16 @@ class Config(object):
        if self.password is None:
            self.password = getpass.getpass("Password for %s (%s): "
                                            % (self.url, self.username))
+        else:
+            # Ensure file is only readable by user as password is stored in
+            # file.
+            mode = os.stat(self.path).st_mode & 0o0777
+            if not mode == 0o600:
+                print (
+                    "Error: Config file '{}' contains a password and does "
+                    "not have permissions set to 0600.\n"
+                    "Permissions are: {}".format(self.path, oct(mode)))
+                exit(1)
        self.auth_type = server.get('auth-type', 'digest')
        auth_types = ['digest', 'basic']
        if self.auth_type not in auth_types:
@ -212,6 +222,7 @@ class Config(object):
    def printSample(self):
        filename = 'share/gertty/examples'
        print """Gertty requires a configuration file at ~/.gertty.yaml
+If the file contains a password then permissions must be set to 0600.

 Several sample configuration files were installed with Gertty and are
 available in %s in the root of the installation.