[bitbake-devel] [PATCH] fetch2/wget: add Basic Auth from netrc to checkstatus()
Mark Hatle
mark.hatle at windriver.com
Tue Dec 20 14:49:02 UTC 2016
On 12/20/16 3:00 AM, Matthew McClintock wrote:
> On Tue, Dec 20, 2016 at 1:50 AM, Mark Hatle <mark.hatle at windriver.com> wrote:
>>> I'm confused how is .netrc dangerous in this regard? The python
>>> library actually won't use netrc if the permissions on the file are
>>> wrong but I'm not aware of how there is leakage here? Maybe you're
>>> just warning against parsing and adding to the command line?
>>
>> The credentials are stored in plain text in .netrc. This is a problem on
>> multiuser machines, as often user home directories are world accessible, and
>> often users forget to mark things like .netrc as private.
>>
>> Any time a credential is stored in plain text is potentially dangerous if
>> someone can access the users directory. (I don't consider .ssh credentials in
>> the same category because people and ssh enforce the permissions on the
>> directory for security reasons. wget does not.)
>
> Well you can only go so far to protect users, perhaps we could add a
> usenetrc=true flag to URI's and then error if the permissions are
> wrong or even just throw the error from the netrc python lib instead
> of catching it?
I consider this an issue with the programs using the netrc, not bitbake or
others. (Plus the bitbake can be adjusted to use curl or other programs, not
just wget that may have different semantics, via re-defining the FETCHCMD_wget)
I just wanted to call this out as an issue, because it has been problematic in
the past for us and we had to devise a solution that worked without the .netrc.
> Currently though wget uses netrc and python checkstatus does not so
> I'd claim this is broken as-is.
Agreed.
--Mark
> -M
>
More information about the bitbake-devel
mailing list