diff options
| author | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2013-03-22 19:12:55 +0100 |
|---|---|---|
| committer | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2013-03-22 19:12:55 +0100 |
| commit | bb530c44450b88c3584f4e50119857599e5a5f40 (patch) | |
| tree | 26998ee711c09a33b71c68af8f83eb84b0ab0308 | |
| parent | 5a8aae3abac43fdebe6818330ad3c5d951de42b9 (diff) | |
| download | mediagoblin-bb530c44450b88c3584f4e50119857599e5a5f40.tar.lz mediagoblin-bb530c44450b88c3584f4e50119857599e5a5f40.tar.xz mediagoblin-bb530c44450b88c3584f4e50119857599e5a5f40.zip | |
Improve fs security for itsdangerous secret.
Set mode 700 on the directory, mode 600 on the file.
| -rw-r--r-- | mediagoblin/tools/crypto.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/mediagoblin/tools/crypto.py b/mediagoblin/tools/crypto.py index 3294f135..0fb2ba2e 100644 --- a/mediagoblin/tools/crypto.py +++ b/mediagoblin/tools/crypto.py @@ -38,14 +38,18 @@ def setup_crypto(): global __itsda_secret dir = mg_globals.app_config["crypto_path"] if not os.path.isdir(dir): - _log.info("Creating %s", dir) os.makedirs(dir) + os.chmod(dir, 0700) + _log.info("Created %s", dir) name = os.path.join(dir, "itsdangeroussecret.bin") if os.path.exists(name): __itsda_secret = file(name, "r").read() else: __itsda_secret = str(getrandbits(192)) - file(name, "w").write(__itsda_secret) + f = file(name, "w") + f.write(__itsda_secret) + f.close() + os.chmod(name, 0600) _log.info("Created %s", name) |