diff options
author | Jürg Billeter <j@bitron.ch> | 2019-11-20 18:16:20 +0100 |
---|---|---|
committer | Jürg Billeter <j@bitron.ch> | 2019-11-25 09:45:22 +0100 |
commit | fb52fec156a8ab6cc5fe61a88b15009797ead9ac (patch) | |
tree | aed1fcb274d2a931c115603206d2181383ff0d97 | |
parent | e7ff106afc51ed618d8baf539e2fbe9b81d5d5d4 (diff) | |
download | buildstream-fb52fec156a8ab6cc5fe61a88b15009797ead9ac.tar.gz |
utils.py: Respect umask in _tempdir()
This allows access by buildbox-casd running as different user with a
suitable umask. As this is not generally safe in global temp directories
such as /tmp, make the `dir` parameter mandatory and add a note to the
documentation.
-rw-r--r-- | src/buildstream/utils.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/buildstream/utils.py b/src/buildstream/utils.py index 73ee3c88b..7f7bf67b2 100644 --- a/src/buildstream/utils.py +++ b/src/buildstream/utils.py @@ -1020,6 +1020,13 @@ def _set_deterministic_mtime(directory): # # A context manager for doing work in a temporary directory. # +# NOTE: Unlike mkdtemp(), this method may not restrict access to other +# users. The process umask is the only access restriction, similar +# to mkdir(). +# This is potentially insecure. Do not create directories in /tmp +# with this method. *Only* use this in directories whose parents are +# more tightly controlled (i.e., non-public directories). +# # Args: # dir (str): A path to a parent directory for the temporary directory # suffix (str): A suffix for the temproary directory name @@ -1033,7 +1040,14 @@ def _set_deterministic_mtime(directory): # supports cleaning up the temp directory on SIGTERM. # @contextmanager -def _tempdir(suffix="", prefix="tmp", dir=None): # pylint: disable=redefined-builtin +def _tempdir(*, suffix="", prefix="tmp", dir): # pylint: disable=redefined-builtin + # Do not allow fallback to a global temp directory. Due to the chmod + # below, this method is not safe to be used in global temp + # directories such as /tmp. + assert ( + dir + ), "Creating directories in the public fallback `/tmp` is dangerous. Please use a directory with tight access controls." + tempdir = tempfile.mkdtemp(suffix=suffix, prefix=prefix, dir=dir) def cleanup_tempdir(): @@ -1042,6 +1056,9 @@ def _tempdir(suffix="", prefix="tmp", dir=None): # pylint: disable=redefined-bu try: with _signals.terminator(cleanup_tempdir): + # Apply mode allowed by umask + os.chmod(tempdir, 0o777 & ~_UMASK) + yield tempdir finally: cleanup_tempdir() |