~/.gitsomeconfig world readable

[mcarpenter]

Hi,

This is a low-severity security issue.

By default, gh applies the user's umask to the ~/.gitsomeconfig file created by gh configure. Many systems do not have strict user umasks by default. For example, on the Ubuntu 18 system where I tested this the default umask is 022. Consequently ~/.gitsomeconfig has mode 0644, so is world readable. (On the same system, useradd(1) by default creates home directories with mode 0755, ie world accessible).

The ~/.gitsomeconfig configuration file contains the user's GitHub username and access token. The access token has full "repo" ("Full control of private repositories") and "user" ("Update all user data") permissions for GitHub. In this configuration, other local users might be able to steal and use these tokens.

Arguably this is operator error (Don't make your home world accessible! Set a stricter umask!) but the reality is that this sentiment won't make a difference, at least for some users. SSH has some precedent here: it will ignore publicly accessible private key files and won't let them be used.

The pertinent function is in gitsome/config.py, function save_config(), which just clobbers the config file:

            with open(config, 'w+') as config_file:
                parser.write(config_file)

This snippet could be wrapped in a couple of umask() calls (temporarily set to 077) as a minimal precaution on creating world-readable configuration files.

[Jimimaku]

Hi,

This is a low-severity security issue.

By default, gh applies the user's umask to the ~/.gitsomeconfig file created by gh configure. Many systems do not have strict user umasks by default. For example, on the Ubuntu 18 system where I tested this the default umask is 022. Consequently ~/.gitsomeconfig has mode 0644, so is world readable. (On the same system, useradd(1) by default creates home directories with mode 0755, ie world accessible).

The ~/.gitsomeconfig configuration file contains the user's GitHub username and access token. The access token has full "repo" ("Full control of private repositories") and "user" ("Update all user data") permissions for GitHub. In this configuration, other local users might be able to steal and use these tokens.

Arguably this is operator error (Don't make your home world accessible! Set a stricter umask!) but the reality is that this sentiment won't make a difference, at least for some users. SSH has some precedent here: it will ignore publicly accessible private key files and won't let them be used.

The pertinent function is in gitsome/config.py, function save_config(), which just clobbers the config file:

            with open(config, 'w+') as config_file:
                parser.write(config_file)

This snippet could be wrapped in a couple of umask() calls (temporarily set to 077) as a minimal precaution on creating world-readable configuration files.