[bitbake-devel] [PATCH] fetch2/wget: add Basic Auth from netrc to checkstatus()
Mark Hatle
mark.hatle at windriver.com
Tue Dec 20 00:50:19 UTC 2016
On 12/17/16 3:42 AM, Matthew McClintock wrote:
> On Fri, Dec 16, 2016 at 5:59 PM, Mark Hatle <mark.hatle at windriver.com> wrote:
>> There was a recent change to wget that allows it to do an 'ASKPASS' when it
>> needs credentials.
>>
>> This is how we handle that at Wind River. We define a WGET_ASKPASS program that
>> knows how to answer the credential questions [or prompt the user outside of the
>> build system, i.e. via gnome].
>
> This is somewhat tangential to the patch above though? You could still do both.
Yes it is.
>> (Passing anything on the command line, or even via .netrc is really dangerous.
>> The command line due to 'ps' leakage on a multi-user system, and .netrc as the
>> credentials are stored in plain text.)
>
> I'm confused how is .netrc dangerous in this regard? The python
> library actually won't use netrc if the permissions on the file are
> wrong but I'm not aware of how there is leakage here? Maybe you're
> just warning against parsing and adding to the command line?
The credentials are stored in plain text in .netrc. This is a problem on
multiuser machines, as often user home directories are world accessible, and
often users forget to mark things like .netrc as private.
Any time a credential is stored in plain text is potentially dangerous if
someone can access the users directory. (I don't consider .ssh credentials in
the same category because people and ssh enforce the permissions on the
directory for security reasons. wget does not.)
> -M
>
More information about the bitbake-devel
mailing list