How to use fdopen to minimize permissions on files generated by the Python process

Requirement background

When using python to create, read and write files, we rarely pay attention to the permission configuration of the created files. For some systems with higher security, if the file permissions we create have read permissions for other users or other users in the same user group, it may lead to the risk of unnecessary information leakage. Therefore, in addition to creating a more secure and private personal environment (such as a container environment, etc.), we can also minimize the permissions of the configuration of the generated files.

Common methods and defect analysis

The commonly used method of creating, reading and writing python files is to create a file directly through the built-in open function. If it is created using the with syntax, the opened object will be automatically closed after ending the statement. If you use the open function directly to define an object, you need to manually perform the close operation at the end of the task. The following demonstrates the usage of the built-in function open and its file operation attributes. First, create a file named file-test.py:

# file-test.py
 
with open('test1.txt', 'w') as file:
    file.write('hello world!')

The content of this task is: Create a file named test1.txt in the current directory file, clear the contents of the file, and write the string hello world! in the file. Next, use python3 to execute the file:

[dechin@dechin-manjaro os_security]$ python3 file-test.py
[dechin@dechin-manjaro os_security]$ ll
Total usage 8
-rw-r--r-- 1 dechin dechin 83 January 25 13:43 file-test.py
-rw-r--r-- 1 dechin dechin 12 January 25 13:43 test1.txt

Here we found that the file test1.txt was successfully generated after execution, and its permissions were configured to 644, consistent with the file-test.py created previously. When I didn't know the implementation principle of the built-in function open, I originally thought that the generated file permission configuration was consistent with the current py file. However, after further testing, the permissions of the py file were configured to 440 and then the file was re-executed:

[dechin@dechin-manjaro os_security]$ chmod 440 file-test.py
[ dechin@dechin-manjaro os_security]$ ll
Total usage 8
-r--r----- 1 dechin dechin 83 January 25 13:43 file-test.py
-rw-r --r-- 1 dechin dechin 12 January 25 13:43 test1.txt
[dechin@dechin-manjaro os_security]$ rm test1.txt
[dechin@dechin-manjaro os_security]$ python3 file-test .py
[dechin@dechin-manjaro os_security]$ ll
Total usage 8
-r--r----- 1 dechin dechin 83 January 25 13:43 file-test.py
-rw-r--r-- 1 dechin dechin 12 January 25 13:44 test1.txt

Here we can see from the test results that the file generated by python’s built-in function open The type is independent of the source py file. Regarding whether the execution of this py file requires executable permissions, you can refer to this blog.

Improved python file creation method

Through the fdopen library and special permission specification, we can set the access permissions of the generated file. A python code example is shown below:

# fdopen-test.py
 
import os
import stat
 
file_name = 'test2.txt'
flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
mode = stat.S_IRUSR | stat.S_IWUSR
 
with os.fdopen(os.open(file_name, flags, mode), 'w') as file:
    file.write('hello world!')

After execution, we can find that a file named test2.txt is generated in the current directory, and its permissions are configured as 600, compared with the mode = stat.S_IRUSR | stat.S_IWUSR we set in the code. Here we first explain some of the parameters: os.O_WRONLY means opening in write-only mode, os.O_CREAT means creating and opening a new file, os.O_EXCL means reporting an error if the file already exists. The permissions configured in mode correspond to the rwx configuration respectively, and USR, GRP, and OTH have subdivided configurations for users, user groups, and other users respectively, so that we can realize all types of permission configurations by changing the mode parameters. .

We can try to adjust the mode in the above use case, such as adding an executable permission to 700:

# fdopen-test.py
 
import os
import stat
 
file_name = 'test3.txt'
flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
mode = stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
 
with os.fdopen(os.open(file_name, flags, mode), 'w') as file:
    file.write('hello world!')

Or, we need to add executable permissions for other users in the user group Access permissions, such as 640 permissions:

# fdopen-test.py
 
import os
import stat
 
file_name = 'test4.txt'
flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
mode = stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP
 
with os.fdopen(os.open(file_name, flags, mode), 'w') as file:
    file.write('hello world!')

We can even write out the system’s native 644 file permissions:

# fdopen-test.py
 
import os
import stat
 
file_name = 'test5.txt'
flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
mode = stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH
 
with os.fdopen(os.open(file_name, flags, mode), 'w') as file:
    file.write('hello world!')

Finally, let’s take a look at the results obtained after executing the above python examples ：

[dechin@dechin-manjaro os_security]$ ll
Total usage 28
-rw-r--r-- 1 dechin dechin 269 January 25 14:58 fdopen- test.py
-r--r----- 1 dechin dechin 84 January 25 14:11 file-test.py
-rw-r--r-- 1 dechin dechin 12 January 25 13:44 test1.txt
-rw------- 1 dechin dechin 12 January 25 14:44 test2.txt
-rwx------ 1 dechin dechin 12 January 25 14 :48 test3.txt
-rw-r----- 1 dechin dechin 12 January 25 14:56 test4.txt
-rw-r--r-- 1 dechin dechin 12 January 25 14 :58 test5.txt

We can see from the results that all the generated files test*.txt are generated according to our expected file permission configuration. At this point we have completed all expected goals. .

The above is the detailed content of How to use fdopen to minimize permissions on files generated by the Python process. For more information, please follow other related articles on the PHP Chinese website!