[bitbake-devel] [PATCH] fetch2/wget: add Basic Auth from netrc to checkstatus()
Matthew McClintock
msm-oss at mcclintock.net
Tue Dec 20 09:00:32 UTC 2016
On Tue, Dec 20, 2016 at 1:50 AM, Mark Hatle <mark.hatle at windriver.com> wrote:
>> I'm confused how is .netrc dangerous in this regard? The python
>> library actually won't use netrc if the permissions on the file are
>> wrong but I'm not aware of how there is leakage here? Maybe you're
>> just warning against parsing and adding to the command line?
>
> The credentials are stored in plain text in .netrc. This is a problem on
> multiuser machines, as often user home directories are world accessible, and
> often users forget to mark things like .netrc as private.
>
> Any time a credential is stored in plain text is potentially dangerous if
> someone can access the users directory. (I don't consider .ssh credentials in
> the same category because people and ssh enforce the permissions on the
> directory for security reasons. wget does not.)
Well you can only go so far to protect users, perhaps we could add a
usenetrc=true flag to URI's and then error if the permissions are
wrong or even just throw the error from the netrc python lib instead
of catching it?
Currently though wget uses netrc and python checkstatus does not so
I'd claim this is broken as-is.
-M
More information about the bitbake-devel
mailing list