From 93052d1c683e9fee88789d5b05866c0a14a5ff4f Mon Sep 17 00:00:00 2001
From: "John L. Villalovos" <john.l.villalovos@intel.com>
Date: Fri, 20 Feb 2015 10:47:36 -0800
Subject: [PATCH] Security: Require config file to be mode 0600

Require the config file to have a permission of 0600 if it contains a
password.  This way it is only readable/writeable by the user

Change-Id: I0c38a3c41125422b981ed3f799870906a0700180
---
 gertty/config.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/gertty/config.py b/gertty/config.py
index bce70d0..b5285d4 100644
--- a/gertty/config.py
+++ b/gertty/config.py
@@ -137,6 +137,16 @@ class Config(object):
         if self.password is None:
             self.password = getpass.getpass("Password for %s (%s): "
                                             % (self.url, self.username))
+        else:
+            # Ensure file is only readable by user as password is stored in
+            # file.
+            mode = os.stat(self.path).st_mode & 0o0777
+            if not mode == 0o600:
+                print (
+                    "Error: Config file '{}' contains a password and does "
+                    "not have permissions set to 0600.\n"
+                    "Permissions are: {}".format(self.path, oct(mode)))
+                exit(1)
         self.auth_type = server.get('auth-type', 'digest')
         auth_types = ['digest', 'basic']
         if self.auth_type not in auth_types:
@@ -212,6 +222,7 @@ class Config(object):
     def printSample(self):
         filename = 'share/gertty/examples'
         print """Gertty requires a configuration file at ~/.gertty.yaml
+If the file contains a password then permissions must be set to 0600.
 
 Several sample configuration files were installed with Gertty and are
 available in %s in the root of the installation.