Skip to content

Ensure We Do Not Inherit File Permissions For Written Key Files #279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vladimir-v-diaz opened this issue May 5, 2015 · 6 comments
Closed

Ensure We Do Not Inherit File Permissions For Written Key Files #279

vladimir-v-diaz opened this issue May 5, 2015 · 6 comments
Assignees
@lukpueh
Labels
securesystemslib Requires corresponding implementation in securesystemslib

Comments

@vladimir-v-diaz
Copy link
Contributor

For example: https://github.com/theupdateframework/tuf/blob/develop/tuf/repository_lib.py#L806
@trishankatdatadog trishankatdatadog added the securesystemslib Requires corresponding implementation in securesystemslib label Dec 17, 2019
@lukpueh lukpueh self-assigned this Dec 17, 2019
@lukpueh
Copy link
Member

lukpueh commented Mar 20, 2020

Based on the date, above link most likely pointed to a call to TempFile's move method, which was used to persist files (here a cryptographic key) to disk, and has been replaced by securesystemslib.util. persist_temp_file (in sslib#181).

But it is hard to guess what the OP meant by "do not inherit file permissions" (maybe use a custom umask?), and if so, what umask that should be (probably a restrictive one, since it talks about keys?).

I wonder if this request is still valid, or if this is just not in the scope of TUF.

cc @mnm678, @trishankatdatadog, @JustinCappos

@mnm678
Copy link
Contributor

mnm678 commented Mar 20, 2020

As the method in question has been replaced, I think we can close this issue, and reopen if it becomes an issue with the persist_temp_file method.

@trishankatdatadog
Copy link
Member

I guess he meant private keys should be written with umask 600, like how OpenSSH restricts the reading and writing of private keys to the user.

@lukpueh
Copy link
Member

lukpueh commented Mar 23, 2020

@trishankatdatadog, do you think it's worth keeping this (now clarified) feature request around? If so I can re-open it on the securesystemslib repo.

@trishankatdatadog
Copy link
Member

Yes, I think so, please

@lukpueh lukpueh mentioned this issue Mar 24, 2020
Closed
@lukpueh
Copy link
Member

lukpueh commented Mar 24, 2020

Will be fixed in secure-systems-lab/securesystemslib#222

@lukpueh lukpueh closed this as completed Mar 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukpueh lukpueh

Labels
securesystemslib Requires corresponding implementation in securesystemslib
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lukpueh @vladimir-v-diaz @mnm678 @trishankatdatadog