Merge branch 'improve-mode-handling' of https://github.com/Firstyear/osc

Only change the mode of a config file if it is different from 0o600 (instead of unconditionally calling os.chmod). The advantage of the new behavior is that it also works with a read-only filesystem. Additionally, if the mode is not 0o600 and the config file resides on a read-only filesystem, we print a warning and continue (actually, this change is debatable but it is also not too bad because the config file does not necessarily have to contain the passwords anymore... (let's keep our fingers crossed that no 3rd party application relied on the "implicit" os.chmod API, though)).
2024-11-09 22:36:14 +01:00 · 2021-10-25 15:54:32 +02:00 · 2021-10-25 15:54:32 +02:00 · 3ba867cf94
commit 3ba867cf94
parent 16ec3ff9f9 d56a46b669
1 changed files with 10 additions and 1 deletions
--- a/osc/conf.py
+++ b/osc/conf.py
@ -38,6 +38,7 @@ The configuration dictionary could look like this:

 import bz2
 import base64
+import errno
 import os
 import re
 import sys
@ -896,7 +897,15 @@ def get_config(override_conffile=None,
    # okay, we made sure that oscrc exists

    # make sure it is not world readable, it may contain a password.
-    os.chmod(conffile, 0o600)
+    conffile_stat = os.stat(conffile)
+    if conffile_stat.st_mode != 0o600:
+        try:
+            os.chmod(conffile, 0o600)
+        except OSError as e:
+            if e.errno == errno.EROFS:
+                print('Warning: file \'%s\' may have an insecure mode.', conffile)
+            else:
+                raise e

    cp = get_configParser(conffile)