Merge pull request #41995 from terminalmage/token-umask

Temporarily set the umask before writing an auth token
2025-04-17 10:10:20 +00:00 · 2017-06-28 20:09:47 -05:00 · 2017-06-28 20:09:47 -05:00 · 6a3c03c2d5
commit 6a3c03c2d5
parent e3801b0e78 4f54b0069f
2 changed files with 27 additions and 7 deletions
--- a/salt/auth/init.py
+++ b/salt/auth/init.py
@ -31,6 +31,7 @@ import salt.config
 import salt.loader
 import salt.transport.client
 import salt.utils
+import salt.utils.files
 import salt.utils.minions
 import salt.payload

@ -193,8 +194,13 @@ class LoadAuth(object):
        if 'groups' in load:
            tdata['groups'] = load['groups']

-        with salt.utils.fopen(t_path, 'w+b') as fp_:
-            fp_.write(self.serial.dumps(tdata))
+        try:
+            with salt.utils.files.set_umask(0o177):
+                with salt.utils.fopen(t_path, 'w+b') as fp_:
+                    fp_.write(self.serial.dumps(tdata))
+        except (IOError, OSError):
+            log.warning('Authentication failure: can not write token file "{0}".'.format(t_path))
+            return {}
        return tdata

    def get_tok(self, tok):
@ -473,14 +479,12 @@ class Resolver(object):
        tdata = self._send_token_request(load)
        if 'token' not in tdata:
            return tdata
-        oldmask = os.umask(0o177)
        try:
-            with salt.utils.fopen(self.opts['token_file'], 'w+') as fp_:
-                fp_.write(tdata['token'])
+            with salt.utils.files.set_umask(0o177):
+                with salt.utils.fopen(self.opts['token_file'], 'w+') as fp_:
+                    fp_.write(tdata['token'])
        except (IOError, OSError):
            pass
-        finally:
-            os.umask(oldmask)
        return tdata

    def mk_token(self, load):
--- a/salt/utils/files.py
+++ b/salt/utils/files.py
@ -234,3 +234,19 @@ def wait_lock(path, lock_fn=None, timeout=5, sleep=0.1, time_start=None):
        if obtained_lock:
            os.remove(lock_fn)
            log.trace('Write lock for %s (%s) released', path, lock_fn)
+
+
+@contextlib.contextmanager
+def set_umask(mask):
+    '''
+    Temporarily set the umask and restore once the contextmanager exits
+    '''
+    if salt.utils.is_windows():
+        # Don't attempt on Windows
+        yield
+    else:
+        try:
+            orig_mask = os.umask(mask)
+            yield
+        finally:
+            os.umask(orig_mask)