[Gerrit] introducing new config variable: private_files_permission - change (pywikibot/core) - Pywikibot-commits

3 Mar 2015

jenkins-bot has submitted this change and it was merged.

Change subject: introducing new config variable: private_files_permission
......................................................................


introducing new config variable: private_files_permission

Change-Id: I8b4d560a5c0ce17056a3edb1a340a1369100af8e
---
M generate_user_files.py
M pywikibot/config2.py
M pywikibot/login.py
3 files changed, 46 insertions(+), 3 deletions(-)

Approvals:
  John Vandenberg: Looks good to me, approved
  XZise: Looks good to me, but someone else must approve
  jenkins-bot: Verified

diff --git a/generate_user_files.py b/generate_user_files.py
index c98c535..825f948 100644
--- a/generate_user_files.py
+++ b/generate_user_files.py
@@ -79,7 +79,7 @@
             break
         else:
             try:
-                os.mkdir(new_base, 0o700)
+                os.mkdir(new_base, pywikibot.config2.private_files_permission)
             except Exception:
                 pywikibot.error("ERROR: directory creation failed")
                 continue
diff --git a/pywikibot/config2.py b/pywikibot/config2.py
index 3792be5..0343338 100644
--- a/pywikibot/config2.py
+++ b/pywikibot/config2.py
@@ -24,6 +24,7 @@
 
 import collections
 import os
+import stat
 import sys
 
 from warnings import warn
@@ -37,7 +38,7 @@
 
 
 # Please keep _imported_modules in sync with the imports above
-_imported_modules = ('os', 'sys', 'collections')
+_imported_modules = ('collections', 'os', 'stat', 'sys')
 
 # IMPORTANT:
 # Do not change any of the variables in this file. Instead, make
@@ -151,6 +152,27 @@
 #          relevant summary for bot edits
 default_edit_summary = u'Pywikibot v.2'
 
+# What permissions to use to set private files to it
+# such as password file.
+#
+# stat.S_IRWXU 0o700 mask for owner permissions
+# stat.S_IRUSR 0o400 read permission for owner
+# stat.S_IWUSR 0o200 write permission for owner
+# stat.S_IXUSR 0o100 execute permission for owner
+# stat.S_IRWXG 0o070 mask for group permissions
+# stat.S_IRGRP 0o040 read permission for group
+# stat.S_IWGRP 0o020 write permission for group
+# stat.S_IXGRP 0o010 execute permission for group
+# stat.S_IRWXO 0o007 mask for others permissions
+# stat.S_IROTH 0o004 read permission for others
+# stat.S_IWOTH 0o002 write permission for others
+# stat.S_IXOTH 0o001 execute permission for others
+private_files_permission = stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
+
+# Allow user to stop warnings about file security
+# by setting this to true.
+ignore_file_security_warnings = False
+
 
 def get_base_dir(test_directory=None):
     r"""Return the directory in which user-specific information is
stored.
@@ -226,7 +248,7 @@
             for dir in base_dir_cand:
                 dir = os.path.join(*dir)
                 if not os.path.isdir(dir):
-                    os.makedirs(dir, mode=0o700)
+                    os.makedirs(dir, mode=private_files_permission)
                 if exists(dir):
                     base_dir = dir
                     break
@@ -916,6 +938,17 @@
           "Defaulting to family='test' and mylang='test'.")
     family = mylang = 'test'
 
+# SECURITY WARNINGS
+if (not ignore_file_security_warnings and
+        private_files_permission & (stat.S_IRWXG | stat.S_IRWXO) != 0):
+    print("CRITICAL SECURITY WARNING: 'private_files_permission' is
set"
+          " to allow access from the group/others which"
+          " could give them access to the sensitive files."
+          " To avoid giving others access to sensitive files, pywikibot"
+          " won't run with this setting. Choose a more restrictive"
+          " permission or set 'ignore_file_security_warnings' to
true.")
+    sys.exit(1)
+
 #
 # When called as main program, list all configuration variables
 #
diff --git a/pywikibot/login.py b/pywikibot/login.py
index b2ace77..dff941b 100644
--- a/pywikibot/login.py
+++ b/pywikibot/login.py
@@ -10,6 +10,9 @@
 __version__ = '$Id$'
 #
 import codecs
+import os
+import stat
+
 from warnings import warn
 
 import pywikibot
@@ -174,6 +177,13 @@
         (u"wikipedia", u"my_wikipedia_user",
u"my_wikipedia_pass")
         (u"en", u"wikipedia", u"my_en_wikipedia_user",
u"my_en_wikipedia_pass")
         """
+        # We fix password file permission first,
+        # lift upper permission (regular file) from st_mode
+        # to compare it with private_files_permission.
+        if os.stat(config.password_file).st_mode - stat.S_IFREG \
+                != config.private_files_permission:
+            os.chmod(config.password_file, config.private_files_permission)
+
         password_f = codecs.open(config.password_file, encoding='utf-8')
         for line in password_f:
             if not line.strip():

-- 
To view, visit https://gerrit.wikimedia.org/r/192253
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I8b4d560a5c0ce17056a3edb1a340a1369100af8e
Gerrit-PatchSet: 10
Gerrit-Project: pywikibot/core
Gerrit-Branch: master
Gerrit-Owner: Mjbmr &lt;mjbmri(a)gmail.com&gt;
Gerrit-Reviewer: John Vandenberg &lt;jayvdb(a)gmail.com&gt;
Gerrit-Reviewer: Ladsgroup &lt;ladsgroup(a)gmail.com&gt;
Gerrit-Reviewer: Merlijn van Deen &lt;valhallasw(a)arctus.nl&gt;
Gerrit-Reviewer: Mjbmr &lt;mjbmri(a)gmail.com&gt;
Gerrit-Reviewer: XZise &lt;CommodoreFabianus(a)gmx.de&gt;
Gerrit-Reviewer: jenkins-bot <>


    