Don't store authentication data in $HOME/.config

[rpdelaney]

• I have searched the issues of this repo and believe that this is not a duplicate.
• I have searched the documentation and believe that my question is not covered.

Issue

Related issues: #342 #464 #1239 #1659

I find that authentication data are stored in $XDG_CONFIG_HOME/pypoetry/auth.toml.

Users who do not expect authentication data to be stored here may accidentally back it up and synchronize it across systems improperly. Configuration data are fine, but prefer storing state data somewhere in $XDG_DATA_HOME to conform to the freedesktop.org / XDG standard and avoid this potentially serious security pitfall.

Reference: https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

$XDG_CONFIG_HOME defines the base directory relative to which user specific
configuration files should be stored. If $XDG_CONFIG_HOME is either not set or
empty, a default equal to $HOME/.config should be used.

$XDG_DATA_HOME defines the base directory relative to which user specific data
files should be stored. If $XDG_DATA_HOME is either not set or empty, a default
equal to $HOME/.local/share should be used.

A simplistic patch from c1f9838 :

diff --git i/poetry/factory.py w/poetry/factory.py
index 094ccdc..43dc53d 100644
--- i/poetry/factory.py
+++ w/poetry/factory.py
@@ -14,6 +14,7 @@ from .config.file_config_source import FileConfigSource
 from .io.null_io import NullIO
 from .json import validate_object
 from .locations import CONFIG_DIR
+from .locations import DATA_DIR
 from .packages.dependency import Dependency
 from .packages.locker import Locker
 from .packages.project_package import ProjectPackage
@@ -213,7 +214,7 @@ class Factory:
         config.set_config_source(FileConfigSource(config_file))
 
         # Load global auth config
-        auth_config_file = TomlFile(Path(CONFIG_DIR) / "auth.toml")
+        auth_config_file = TomlFile(Path(DATA_DIR) / "auth.toml")
         if auth_config_file.exists():
             if io.is_debug():
                 io.write_line(
diff --git i/poetry/locations.py w/poetry/locations.py
index 17fb4d4..77a0008 100644
--- i/poetry/locations.py
+++ w/poetry/locations.py
@@ -1,6 +1,8 @@
 from .utils.appdirs import user_cache_dir
 from .utils.appdirs import user_config_dir
+from .utils.appdirs import user_data_dir
 
 
 CACHE_DIR = user_cache_dir("pypoetry")
 CONFIG_DIR = user_config_dir("pypoetry")
+DATA_DIR = user_data_dir("pypoetry")

[MestreLion]

Actually, XDG_CONFIG_HOME is the proper place to store user settings, including authentication.

XDG_DATA_HOME is the user equivalent of /usr/share and /usr/local/share (hence the default value of $HOME/.local/share), and as such should hold static, non-modifiable data, save for package installs and upgrades. It's a place to install package data, not for files that are meant to be edited.

On the other hand, XDG_CONFIG_HOME is the user equivalent of /etc (and $HOME/.config is much more sensible than an hypothetical $HOME/.etc), and as such it should hold any files meant to be edited for configuration purposes.

Your security concerns are valid, and that's precisely why the reference implementation creates ~/.config and any subdirs with mode 700, just like any other sensitive dir such as ~/.ssh

[rpdelaney]

XDG_DATA_HOME is the user equivalent of /usr/share and /usr/local/share (hence the default value of $HOME/.local/share), and as such should hold static, non-modifiable data, save for package installs and upgrades. It's a place to install package data, not for files that are meant to be edited.

Looking at this again, you might be right here. I will look into this more deeply later.

Your security concerns are valid, and that's precisely why the reference implementation creates ~/.config and any subdirs with mode 700, just like any other sensitive dir such as ~/.ssh

My thinking about this, and I think the sympathy I've found when I raised this issue elsewhere, is motivated by the relatively novel practice of source-controlling the "dotfiles". With that in mind, this is not a mitigation to my concern. Having all the configuration files in one place also makes it tempting to distribute them in a tarball so that I can replicate my environment, but I might not trust every host equally.

Perhaps the spec simply does not support mitigation for this, though. That would make .gitignore the best option.

[MestreLion]

One shouldn't blindly publish his ~/.config the same way one should not publish his ~/.ssh or ~/.gnupg. The same security concerns one would have with his $HOME dotfiles should be applied to his $XDG_CONFIG_HOME. No one should add all dotdirs and dotfiles to source control before inspecting them. Even ~/.bashrc might contain sensitive information. ~/.bash_history certainly does.

Yes, one could use .gitignore as a safeguard for obviously-sensitive data, but the most sensible and sane approach is to selectively add only the dotfiles that make sense to version control. It's not only about sensitive data, some dotfiles store runtime data and there's no point to be backup up or version-controlled at all. Think about ~/.Xauthority, ~/.xsession-errors, etc.

[rpdelaney]

One shouldn't blindly publish his ~/.config

I mean, yes -- because it might have this stuff in there. If there is a way for an app to respect the spec and make this easier, then that would be ideal. Perhaps there isn't, though.

Yes, one could use .gitignore as a safeguard for obviously-sensitive data, but the most sensible and sane approach is to selectively add only the dotfiles that make sense to version control.

I don't see a distinction there.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.