Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mode security concern #85547

Closed
YoSTEALTH mannequin opened this issue Jul 23, 2020 · 3 comments
Closed

mode security concern #85547

YoSTEALTH mannequin opened this issue Jul 23, 2020 · 3 comments
Labels
topic-IO

Comments

@YoSTEALTH
Copy link
Mannequin

YoSTEALTH mannequin commented Jul 23, 2020

BPO 41375
Nosy @serhiy-storchaka, @YoSTEALTH

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2020-07-23.16:34:25.616>
created_at = <Date 2020-07-23.15:07:20.612>
labels = ['invalid', 'expert-IO']
title = '`mode` security concern'
updated_at = <Date 2020-07-23.18:01:05.189>
user = 'https://github.com/YoSTEALTH'

bugs.python.org fields:

activity = <Date 2020-07-23.18:01:05.189>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2020-07-23.16:34:25.616>
closer = 'YoSTEALTH'
components = ['IO']
creation = <Date 2020-07-23.15:07:20.612>
creator = 'YoSTEALTH'
dependencies = []
files = []
hgrepos = []
issue_num = 41375
keywords = []
message_count = 3.0
messages = ['374138', '374142', '374144']
nosy_count = 2.0
nosy_names = ['serhiy.storchaka', 'YoSTEALTH']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = 'resolved'
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue41375'
versions = []
@YoSTEALTH
Copy link
Mannequin Author

YoSTEALTH mannequin commented Jul 23, 2020 

import os
import stat
import os.path


def problem(tmp_path):
    # result:
    # 
# check: False
# mode: 416

    # create temp file
    fd = os.open(tmp_path, os.O_CREAT, 0o660)
    os.close(fd)
# Directory is effected as well
# os.mkdir(tmp_path, 0o660)

def solution(tmp_path):
    # result:
    # 
# check: True
# mode: 432

    old_umask = os.umask(0)

    # create temp file
    fd = os.open(tmp_path, os.O_CREAT, 0o660)
    os.close(fd)
# create temp dir
# os.mkdir(tmp_path, 0o660)

    os.umask(old_umask)


def main():
    tmp_path = '_testing-chmod'

    problem(tmp_path)
    # solution(tmp_path)
try:
    s = os.stat(tmp_path)
    mode = stat.S_IMODE(s.st_mode)
    print('check:', mode == 0o660)
    print('mode:', mode)  # this should be: 432
finally:
    # delete temp file
    try:
        os.unlink(tmp_path)
    except IsADirectoryError:
        os.rmdir(tmp_path)

if __name__ == '__main__':
    main()

This result is not same for all os and distro, on multiple linux system for example the results will be different. I think Python should account for such behavior by default as it can lead to file/dir creation with security issues.

@YoSTEALTH YoSTEALTH mannequin added topic-IO labels Jul 23, 2020
@serhiy-storchaka
Copy link
Member

It is expected behavior on Posix system. See https://pubs.opengroup.org/onlinepubs/9699919799/functions/umask.html

What is the problem?

@YoSTEALTH
Copy link
Mannequin Author

YoSTEALTH mannequin commented Jul 23, 2020

I am closing this as its not a issue anymore... I was trying to solve a problem that has become a core feature!

@YoSTEALTH YoSTEALTH mannequin closed this as completed Jul 23, 2020
@YoSTEALTH YoSTEALTH mannequin closed this as completed Jul 23, 2020
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic-IO
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@serhiy-storchaka