[Labs-l] Storing oauth tokens in a tool account
Tim Landscheidt
tim at tim-landscheidt.de
Fri Feb 3 06:10:02 UTC 2017
Bryan Davis <bd808 at wikimedia.org> wrote:
>> The file itself is written by the web server user (which is always the
>> same as the tool account isn't it?) and then chmod'd 0660. Is that
>> enough?
> If you write the contents and then chmod there is a small race
> condition introduced where the data might be visible to another
> user/process. To make sure that others can not see the file contents
> you should:
> * create an empty file: touch( $file ) [0]
> * make the file readable only by the web server process: chmod( $file,
> 0600 ) [1]
> * write the token to the file: file_put_contents( $file, $token )
> […]
What happens on Linux when (on the premise that $file is by
default readable by somebody else) another process opens the
file between 1. and 2. for reading if the file is not on
NFS? chmod(2) says:
| […]
| On NFS filesystems, restricting the permissions will immedi-
| ately influence already open files, because the access con-
| trol is done on the server, but open files are maintained by
| the client. Widening the permissions may be delayed for
| other clients if attribute caching is enabled on them.
| […]
but does not mention local filesystems.
In general, one can use umask(), or tempnam() if lazy and/or
possible, but it's very easy to miss attack vectors. (So I
would suggest using the database as well :-).)
Tim
More information about the Labs-l
mailing list