From 2795301937b5687ff1045402354f89b94de54927 Mon Sep 17 00:00:00 2001 From: Teodora Sechkova Date: Tue, 14 Apr 2020 15:12:10 +0300 Subject: [PATCH] Create private keys with file permissions 0o600 Update generate_and_write_{rsa, ed25519, ecdsa}_keypair functions to create private keys with read and write permissions for the user only (0o600). Update util.persist_temp_file() with an optional permissions parameter. Signed-off-by: Teodora Sechkova --- securesystemslib/interface.py | 11 ++++++++--- securesystemslib/util.py | 8 ++++++-- 2 files changed, 14 insertions(+), 5 deletions(-) mode change 100755 => 100644 securesystemslib/interface.py diff --git a/securesystemslib/interface.py b/securesystemslib/interface.py old mode 100755 new mode 100644 index 38ed68a0d..785d8ed5b --- a/securesystemslib/interface.py +++ b/securesystemslib/interface.py @@ -69,6 +69,8 @@ # Supported key types. SUPPORTED_KEY_TYPES = ['rsa', 'ed25519'] +# Private keys are created with read and write permissions for the user only +PRIVATE_KEY_MODE = 0o600 def _prompt(message, result_type=str): @@ -235,7 +237,8 @@ def generate_and_write_rsa_keypair(filepath=None, bits=DEFAULT_RSA_KEY_BITS, # extension. file_object = tempfile.TemporaryFile() file_object.write(private.encode('utf-8')) - securesystemslib.util.persist_temp_file(file_object, filepath) + securesystemslib.util.persist_temp_file(file_object, filepath, + permissions=PRIVATE_KEY_MODE) return filepath @@ -548,7 +551,8 @@ def generate_and_write_ed25519_keypair(filepath=None, password=None): # Raise 'securesystemslib.exceptions.CryptoError' if 'ed25519_key' cannot be # encrypted. file_object.write(ed25519_key.encode('utf-8')) - securesystemslib.util.persist_temp_file(file_object, filepath) + securesystemslib.util.persist_temp_file(file_object, filepath, + permissions=PRIVATE_KEY_MODE) return filepath @@ -803,7 +807,8 @@ def generate_and_write_ecdsa_keypair(filepath=None, password=None): # encrypted. encrypted_key = securesystemslib.keys.encrypt_key(ecdsa_key, password) file_object.write(encrypted_key.encode('utf-8')) - securesystemslib.util.persist_temp_file(file_object, filepath) + securesystemslib.util.persist_temp_file(file_object, filepath, + permissions=PRIVATE_KEY_MODE) return filepath diff --git a/securesystemslib/util.py b/securesystemslib/util.py index 7af85c943..38d330afe 100644 --- a/securesystemslib/util.py +++ b/securesystemslib/util.py @@ -103,7 +103,7 @@ def get_file_details(filepath, hash_algorithms=['sha256'], def persist_temp_file(temp_file, persist_path, storage_backend=None, - should_close=True): + should_close=True, permissions=None): """ Copies 'temp_file' (a file like object) to a newly created non-temp file at @@ -126,6 +126,10 @@ def persist_temp_file(temp_file, persist_path, storage_backend=None, A boolean indicating whether the file should be closed after it has been persisted. Default is True, the file is closed. + permissions: + Custom file permissions for the newly created file. If None, the default + OS permissions apply. + None. @@ -136,7 +140,7 @@ def persist_temp_file(temp_file, persist_path, storage_backend=None, if storage_backend is None: storage_backend = securesystemslib.storage.FilesystemBackend() - storage_backend.put(temp_file, persist_path) + storage_backend.put(temp_file, persist_path, permissions) if should_close: temp_file.close()