jenkins-bot has submitted this change and it was merged.

Change subject: introducing new config variable: private_files_permission ......................................................................

introducing new config variable: private_files_permission

Change-Id: I8b4d560a5c0ce17056a3edb1a340a1369100af8e --- M generate_user_files.py M pywikibot/config2.py M pywikibot/login.py 3 files changed, 46 insertions(+), 3 deletions(-)

Approvals: John Vandenberg: Looks good to me, approved XZise: Looks good to me, but someone else must approve jenkins-bot: Verified

diff --git a/generate_user_files.py b/generate_user_files.py index c98c535..825f948 100644 --- a/generate_user_files.py +++ b/generate_user_files.py @@ -79,7 +79,7 @@ break else: try: - os.mkdir(new_base, 0o700) + os.mkdir(new_base, pywikibot.config2.private_files_permission) except Exception: pywikibot.error("ERROR: directory creation failed") continue diff --git a/pywikibot/config2.py b/pywikibot/config2.py index 3792be5..0343338 100644 --- a/pywikibot/config2.py +++ b/pywikibot/config2.py @@ -24,6 +24,7 @@

import collections import os +import stat import sys

from warnings import warn @@ -37,7 +38,7 @@

# Please keep _imported_modules in sync with the imports above -_imported_modules = ('os', 'sys', 'collections') +_imported_modules = ('collections', 'os', 'stat', 'sys')

# IMPORTANT: # Do not change any of the variables in this file. Instead, make @@ -151,6 +152,27 @@ # relevant summary for bot edits default_edit_summary = u'Pywikibot v.2'

+# What permissions to use to set private files to it +# such as password file. +# +# stat.S_IRWXU 0o700 mask for owner permissions +# stat.S_IRUSR 0o400 read permission for owner +# stat.S_IWUSR 0o200 write permission for owner +# stat.S_IXUSR 0o100 execute permission for owner +# stat.S_IRWXG 0o070 mask for group permissions +# stat.S_IRGRP 0o040 read permission for group +# stat.S_IWGRP 0o020 write permission for group +# stat.S_IXGRP 0o010 execute permission for group +# stat.S_IRWXO 0o007 mask for others permissions +# stat.S_IROTH 0o004 read permission for others +# stat.S_IWOTH 0o002 write permission for others +# stat.S_IXOTH 0o001 execute permission for others +private_files_permission = stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR + +# Allow user to stop warnings about file security +# by setting this to true. +ignore_file_security_warnings = False +

def get_base_dir(test_directory=None): r"""Return the directory in which user-specific information is stored. @@ -226,7 +248,7 @@ for dir in base_dir_cand: dir = os.path.join(*dir) if not os.path.isdir(dir): - os.makedirs(dir, mode=0o700) + os.makedirs(dir, mode=private_files_permission) if exists(dir): base_dir = dir break @@ -916,6 +938,17 @@ "Defaulting to family='test' and mylang='test'.") family = mylang = 'test'

+# SECURITY WARNINGS +if (not ignore_file_security_warnings and + private_files_permission & (stat.S_IRWXG | stat.S_IRWXO) != 0): + print("CRITICAL SECURITY WARNING: 'private_files_permission' is set" + " to allow access from the group/others which" + " could give them access to the sensitive files." + " To avoid giving others access to sensitive files, pywikibot" + " won't run with this setting. Choose a more restrictive" + " permission or set 'ignore_file_security_warnings' to true.") + sys.exit(1) + # # When called as main program, list all configuration variables # diff --git a/pywikibot/login.py b/pywikibot/login.py index b2ace77..dff941b 100644 --- a/pywikibot/login.py +++ b/pywikibot/login.py @@ -10,6 +10,9 @@ __version__ = '$Id$' # import codecs +import os +import stat + from warnings import warn

import pywikibot @@ -174,6 +177,13 @@ (u"wikipedia", u"my_wikipedia_user", u"my_wikipedia_pass") (u"en", u"wikipedia", u"my_en_wikipedia_user", u"my_en_wikipedia_pass") """ + # We fix password file permission first, + # lift upper permission (regular file) from st_mode + # to compare it with private_files_permission. + if os.stat(config.password_file).st_mode - stat.S_IFREG \ + != config.private_files_permission: + os.chmod(config.password_file, config.private_files_permission) + password_f = codecs.open(config.password_file, encoding='utf-8') for line in password_f: if not line.strip():