pocket-cli
pocket-cli copied to clipboard
Configuration file should not be world readable
The command pocket-cli configure
by default leaves ~/.pocket-config
file world readable:
$ ls -l ~/.pocket-config
-rw-r--r-- 1 kseistrup kseistrup 166 Feb 20 11:29 /home/kseistrup/.pocket-config
Since this file contains sensitive information (consumer_key
and access_token
) the file should be made readable only by the user (umask 0077) or at most by the user and their group (umask 0027) by setting thwe umask before creating the file.
E.g.,
diff --git a/pocket_cli/config.py b/pocket_cli/config.py
index 08ad61a..e572b2b 100644
--- a/pocket_cli/config.py
+++ b/pocket_cli/config.py
@@ -29,7 +29,9 @@ class Configs:
self._config_parser.set(self._section_name, name, str(value))
def write(self):
+ old_umask = os.umask(int('0077', 8))
self._config_parser.write(open(self._get_file_path(), 'w'))
+ _ = os.umask(old_umask)
def _get_file_path(self):
return '{}/.pocket-config'.format(os.path.expanduser('~'))
The reason for using the cryptic int('0077', 8)
is that octal 0077 is presented like that in Python 2, while Python 3 uses 0o077 (which isn't recognized by Python 2).
You're right from a security perspective. I'll take your suggestion into account.
Thanks!