From ac981c91aed7f7a8579bd2608ce6b6681aeabc82 Mon Sep 17 00:00:00 2001
From: Ken Dreyer <kdreyer@redhat.com>
Date: Aug 10 2020 16:29:36 +0000
Subject: centos-cert: safer permission handling for .centos.cert


Prior to this change, there was a small window of time where the
.centos.cert file would be stored with the default umask (eg. 0644 on
Fedora). This occurs between the time we close the file and the time we
chown it.

Open the file handle with the 0600 permissions immediately, so the file
is never world-readable.

---

diff --git a/SOURCES/centos-cert b/SOURCES/centos-cert
index 5385861..010c02b 100644
--- a/SOURCES/centos-cert
+++ b/SOURCES/centos-cert
@@ -39,7 +39,13 @@ def download_cert(username, password, topurl=None):
     userurl = urlparse.urlunsplit(userspliturl)
     servercaurl = urlparse.urlunsplit(servercaspliturl)
 
-    with open(os.path.expanduser(defaults.USER_CERT_FILE), 'w') as usercertfile:
+    certfile = os.path.expanduser(defaults.USER_CERT_FILE)
+    if os.path.exists(certfile):
+        # Delete file in case we are changing its mode
+        os.unlink(certfile)
+    flags = os.O_WRONLY | os.O_CREAT
+    mode = 0o600
+    with os.fdopen(os.open(certfile, flags, mode), 'w') as usercertfile:
         r = requests.post(userurl, params=params)
         try:
             r.raise_for_status()
@@ -72,8 +78,6 @@ Message: {1}""".format(e.response.status_code, e.response.reason)).strip()
     os.symlink(os.path.expanduser(defaults.SERVER_CA_CERT_FILE),
                os.path.expanduser(defaults.UPLOAD_CA_CERT_FILE))
 
-    os.chmod(os.path.expanduser(defaults.USER_CERT_FILE), 0o600)
-
 
 def main(opts):