tempfile.mkstemp: add mode=0o600 parameter

[ThomasWaldmann]

Enhancement

Currently the file mode for the temp file is hardcoded to be 0o600. While this might be a good default for real temporary files for security reasons, I propose it should offer flexibility if the use case is slightly different.

It can and should still default to 0o600, but should not be hardcoded.

Besides having "real" temp files that just get thrown away, a popular use case for temp files is also this:

• create a temp file in a specific parent directory (same as parent dir of final file)
• write data to the temp file (e.g. a new configuration file)
• close the file, sync data and metadata to disk
• atomically rename the temp file over the previous version of the file (must be on same fs for this, see step 1)
• sync again

That way, the file has always valid contents (either the old version or the new version) and you never get 0-bytes files or otherwise corrupted files.

The problem with the hardcoded 0o600 mode in such an application is that the file you end up with (and which is not temporary any more, but your final file (e.g. config file)) will also have that 0o600 mode, which is unexpected if your umask usually would create files with e.g. 0o660 mode.

Trying to "fix" the file mode has pitfalls:

• to get the umask, you have to set it (and potentially re-set it again to the returned value), which is awkward
• os.chmod is not supported on all filesystems and might throw an exception. this issue might go unnoticed until someone uses the code with e.g. cifs (samba share).
• even if the chmod works, posix ACLs might still behave in unexpected ways (see link in "previous discussion")

The root cause of this issue is the 0o600 mode. If one uses 0o666, everything behaves as normal, umask works, final mode is correct, ACLs don't get modified. Note that when giving mode=0o666, the umask will still get applied afterwards, so one might well end up with a 0o660 or 0o640 mode on the file.

Pitch

tempfile.mkstemp(..., mode=0o600)
tempfile._mkstemp_inner(..., mode)

So it is as secure as now by default and still usable for the above popular use case without people having to do dirty stuff.

Previous discussion

• 1st issue: borgbackup/borg#6400
• 1st fix: borgbackup/borg#6403
• 2nd issue borgbackup/borg#6786
• 2nd fix: borgbackup/borg#6787
• 3rd issue: borgbackup/borg#6933
• 3rd fix: borgbackup/borg#6936
• to be continued?

[ThomasWaldmann]

To avoid pains like the above, guess the related docs should explain why the mode is 0o600 by default and why 0o666 is a good value for the above use case.

[ThomasWaldmann]

Note: there might be a closely related issue for mkdtemp and mode 0o700 vs. 0o777.