jenkins-bot has submitted this change and it was merged.
Change subject: introducing new config variable: private_files_permission
......................................................................
introducing new config variable: private_files_permission
Change-Id: I8b4d560a5c0ce17056a3edb1a340a1369100af8e
---
M generate_user_files.py
M pywikibot/config2.py
M pywikibot/login.py
3 files changed, 46 insertions(+), 3 deletions(-)
Approvals:
John Vandenberg: Looks good to me, approved
XZise: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/generate_user_files.py b/generate_user_files.py
index c98c535..825f948 100644
--- a/generate_user_files.py
+++ b/generate_user_files.py
@@ -79,7 +79,7 @@
break
else:
try:
- os.mkdir(new_base, 0o700)
+ os.mkdir(new_base, pywikibot.config2.private_files_permission)
except Exception:
pywikibot.error("ERROR: directory creation failed")
continue
diff --git a/pywikibot/config2.py b/pywikibot/config2.py
index 3792be5..0343338 100644
--- a/pywikibot/config2.py
+++ b/pywikibot/config2.py
@@ -24,6 +24,7 @@
import collections
import os
+import stat
import sys
from warnings import warn
@@ -37,7 +38,7 @@
# Please keep _imported_modules in sync with the imports above
-_imported_modules = ('os', 'sys', 'collections')
+_imported_modules = ('collections', 'os', 'stat', 'sys')
# IMPORTANT:
# Do not change any of the variables in this file. Instead, make
@@ -151,6 +152,27 @@
# relevant summary for bot edits
default_edit_summary = u'Pywikibot v.2'
+# What permissions to use to set private files to it
+# such as password file.
+#
+# stat.S_IRWXU 0o700 mask for owner permissions
+# stat.S_IRUSR 0o400 read permission for owner
+# stat.S_IWUSR 0o200 write permission for owner
+# stat.S_IXUSR 0o100 execute permission for owner
+# stat.S_IRWXG 0o070 mask for group permissions
+# stat.S_IRGRP 0o040 read permission for group
+# stat.S_IWGRP 0o020 write permission for group
+# stat.S_IXGRP 0o010 execute permission for group
+# stat.S_IRWXO 0o007 mask for others permissions
+# stat.S_IROTH 0o004 read permission for others
+# stat.S_IWOTH 0o002 write permission for others
+# stat.S_IXOTH 0o001 execute permission for others
+private_files_permission = stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
+
+# Allow user to stop warnings about file security
+# by setting this to true.
+ignore_file_security_warnings = False
+
def get_base_dir(test_directory=None):
r"""Return the directory in which user-specific information is
stored.
@@ -226,7 +248,7 @@
for dir in base_dir_cand:
dir = os.path.join(*dir)
if not os.path.isdir(dir):
- os.makedirs(dir, mode=0o700)
+ os.makedirs(dir, mode=private_files_permission)
if exists(dir):
base_dir = dir
break
@@ -916,6 +938,17 @@
"Defaulting to family='test' and mylang='test'.")
family = mylang = 'test'
+# SECURITY WARNINGS
+if (not ignore_file_security_warnings and
+ private_files_permission & (stat.S_IRWXG | stat.S_IRWXO) != 0):
+ print("CRITICAL SECURITY WARNING: 'private_files_permission' is
set"
+ " to allow access from the group/others which"
+ " could give them access to the sensitive files."
+ " To avoid giving others access to sensitive files, pywikibot"
+ " won't run with this setting. Choose a more restrictive"
+ " permission or set 'ignore_file_security_warnings' to
true.")
+ sys.exit(1)
+
#
# When called as main program, list all configuration variables
#
diff --git a/pywikibot/login.py b/pywikibot/login.py
index b2ace77..dff941b 100644
--- a/pywikibot/login.py
+++ b/pywikibot/login.py
@@ -10,6 +10,9 @@
__version__ = '$Id$'
#
import codecs
+import os
+import stat
+
from warnings import warn
import pywikibot
@@ -174,6 +177,13 @@
(u"wikipedia", u"my_wikipedia_user",
u"my_wikipedia_pass")
(u"en", u"wikipedia", u"my_en_wikipedia_user",
u"my_en_wikipedia_pass")
"""
+ # We fix password file permission first,
+ # lift upper permission (regular file) from st_mode
+ # to compare it with private_files_permission.
+ if os.stat(config.password_file).st_mode - stat.S_IFREG \
+ != config.private_files_permission:
+ os.chmod(config.password_file, config.private_files_permission)
+
password_f = codecs.open(config.password_file, encoding='utf-8')
for line in password_f:
if not line.strip():
--
To view, visit
https://gerrit.wikimedia.org/r/192253
To unsubscribe, visit
https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I8b4d560a5c0ce17056a3edb1a340a1369100af8e
Gerrit-PatchSet: 10
Gerrit-Project: pywikibot/core
Gerrit-Branch: master
Gerrit-Owner: Mjbmr <mjbmri(a)gmail.com>
Gerrit-Reviewer: John Vandenberg <jayvdb(a)gmail.com>
Gerrit-Reviewer: Ladsgroup <ladsgroup(a)gmail.com>
Gerrit-Reviewer: Merlijn van Deen <valhallasw(a)arctus.nl>
Gerrit-Reviewer: Mjbmr <mjbmri(a)gmail.com>
Gerrit-Reviewer: XZise <CommodoreFabianus(a)gmx.de>
Gerrit-Reviewer: jenkins-bot <>