Security risk of storing credentials in world readable `.config/METIS/TestRunner.conf`

[hugobuddel]

MTR stores credentials in .config/METIS/TestRunner.conf, but creates that file as world readable.

Home directories are often world readable too in university settings; and sometimes people make them open deliberately. And they are often accessible from any machine. That means that the credentials in the file are readable by everyone.

Please change the permissions of the configuration (or perhaps the entire .config/METIS/ directory to be go-r by defailt.

The current credentials are only those for the MetisWISE pip repository, which is not terribly secret, but the actual users database credentials should definitely not be stored like this.

In general, it is bad form to store credentials in plain text without warning the user; it would be better to use e.g. libsecret for that. But let's ignore that for the moment; as it is ok-ish if the file is only readable by the user.

Note that these pip credentials do not have to be stored at all, since they are not necessary after installation.

(Should we enable "Private vulnerability reporting" on these repositories?)

[hugobuddel]

Also, if the password is stored in a file, it is probably better to store it in a separate file. Some people, like me, keep their dot-files in version control, but might not want to keep credentials in version control too.