Improve fs security for itsdangerous secret.

Set mode 700 on the directory, mode 600 on the file.
2013-03-22 19:12:55 +01:00 · 2013-03-22 19:12:55 +01:00 · bb530c4445
commit bb530c4445
parent 5a8aae3aba
1 changed files with 6 additions and 2 deletions
--- a/mediagoblin/tools/crypto.py
+++ b/mediagoblin/tools/crypto.py
@ -38,14 +38,18 @@ def setup_crypto():
    global __itsda_secret
    dir = mg_globals.app_config["crypto_path"]
    if not os.path.isdir(dir):
-        _log.info("Creating %s", dir)
        os.makedirs(dir)
+        os.chmod(dir, 0700)
+        _log.info("Created %s", dir)
    name = os.path.join(dir, "itsdangeroussecret.bin")
    if os.path.exists(name):
        __itsda_secret = file(name, "r").read()
    else:
        __itsda_secret = str(getrandbits(192))
-        file(name, "w").write(__itsda_secret)
+        f = file(name, "w")
+        f.write(__itsda_secret)
+        f.close()
+        os.chmod(name, 0600)
        _log.info("Created %s", name)