From fa94a4f57a15ea013558e95f5b9df7c41b8dc217 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 29 Nov 2014 03:13:16 +0100 Subject: [PATCH 1/2] Fix chmods security error: 644 != 0644 --- letsencrypt/client/client.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/letsencrypt/client/client.py b/letsencrypt/client/client.py index 3fdcd7c1f..87d4b9d1f 100644 --- a/letsencrypt/client/client.py +++ b/letsencrypt/client/client.py @@ -384,7 +384,7 @@ class Client(object): """ cert_chain_abspath = None - cert_fd, cert_file = le_util.unique_file(CONFIG.CERT_PATH, 644) + cert_fd, cert_file = le_util.unique_file(CONFIG.CERT_PATH, 0644) cert_fd.write( crypto_util.b64_cert_to_pem(certificate_dict["certificate"])) cert_fd.close() @@ -392,7 +392,7 @@ class Client(object): cert_file) if certificate_dict.get("chain", None): - chain_fd, chain_fn = le_util.unique_file(CONFIG.CHAIN_PATH, 644) + chain_fd, chain_fn = le_util.unique_file(CONFIG.CHAIN_PATH, 0644) for cert in certificate_dict.get("chain", []): chain_fd.write(crypto_util.b64_cert_to_pem(cert)) chain_fd.close() From 3cfeac6f3baea7a2b9983086f8b4502fd5b5b32b Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 29 Nov 2014 03:31:12 +0100 Subject: [PATCH 2/2] PEP 3127, fixes pylint old-octal-literal. https://www.python.org/dev/peps/pep-3127 --- letsencrypt/client/apache_configurator.py | 6 +++--- letsencrypt/client/augeas_configurator.py | 2 +- letsencrypt/client/client.py | 14 +++++++------- letsencrypt/client/le_util.py | 4 ++-- letsencrypt/client/le_util_test.py | 16 ++++++++-------- letsencrypt/client/nginx_configurator.py | 6 +++--- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/letsencrypt/client/apache_configurator.py b/letsencrypt/client/apache_configurator.py index 080a3b24c..c8dd4df9a 100644 --- a/letsencrypt/client/apache_configurator.py +++ b/letsencrypt/client/apache_configurator.py @@ -1242,9 +1242,9 @@ LogLevel warn \n\ have permissions of root """ - le_util.make_or_verify_dir(CONFIG.CONFIG_DIR, 0755) - le_util.make_or_verify_dir(CONFIG.WORK_DIR, 0755) - le_util.make_or_verify_dir(CONFIG.BACKUP_DIR, 0755) + le_util.make_or_verify_dir(CONFIG.CONFIG_DIR, 0o755) + le_util.make_or_verify_dir(CONFIG.WORK_DIR, 0o755) + le_util.make_or_verify_dir(CONFIG.BACKUP_DIR, 0o755) def standardize_excl(self): """Standardize the excl arguments for the Httpd lens in Augeas. diff --git a/letsencrypt/client/augeas_configurator.py b/letsencrypt/client/augeas_configurator.py index 89d7277ec..8bfd4c1ff 100644 --- a/letsencrypt/client/augeas_configurator.py +++ b/letsencrypt/client/augeas_configurator.py @@ -257,7 +257,7 @@ class AugeasConfigurator(configurator.Configurator): :type save_files: set """ - le_util.make_or_verify_dir(cp_dir, 0755) + le_util.make_or_verify_dir(cp_dir, 0o755) existing_filepaths = [] op_fd = None diff --git a/letsencrypt/client/client.py b/letsencrypt/client/client.py index 87d4b9d1f..990df253e 100644 --- a/letsencrypt/client/client.py +++ b/letsencrypt/client/client.py @@ -384,7 +384,7 @@ class Client(object): """ cert_chain_abspath = None - cert_fd, cert_file = le_util.unique_file(CONFIG.CERT_PATH, 0644) + cert_fd, cert_file = le_util.unique_file(CONFIG.CERT_PATH, 0o644) cert_fd.write( crypto_util.b64_cert_to_pem(certificate_dict["certificate"])) cert_fd.close() @@ -392,7 +392,7 @@ class Client(object): cert_file) if certificate_dict.get("chain", None): - chain_fd, chain_fn = le_util.unique_file(CONFIG.CHAIN_PATH, 0644) + chain_fd, chain_fn = le_util.unique_file(CONFIG.CHAIN_PATH, 0o644) for cert in certificate_dict.get("chain", []): chain_fd.write(crypto_util.b64_cert_to_pem(cert)) chain_fd.close() @@ -498,7 +498,7 @@ class Client(object): """ list_file = os.path.join(CONFIG.CERT_KEY_BACKUP, "LIST") - le_util.make_or_verify_dir(CONFIG.CERT_KEY_BACKUP, 0700) + le_util.make_or_verify_dir(CONFIG.CERT_KEY_BACKUP, 0o700) idx = 0 if encrypt: @@ -627,9 +627,9 @@ class Client(object): if not self.key_file: key_pem = crypto_util.make_key(CONFIG.RSA_KEY_SIZE) # Save file - le_util.make_or_verify_dir(CONFIG.KEY_DIR, 0700) + le_util.make_or_verify_dir(CONFIG.KEY_DIR, 0o700) key_f, self.key_file = le_util.unique_file( - os.path.join(CONFIG.KEY_DIR, "key-letsencrypt.pem"), 0600) + os.path.join(CONFIG.KEY_DIR, "key-letsencrypt.pem"), 0o600) key_f.write(key_pem) key_f.close() logger.info("Generating key: %s" % self.key_file) @@ -643,9 +643,9 @@ class Client(object): if not self.csr_file: csr_pem, csr_der = crypto_util.make_csr(self.key_file, self.names) # Save CSR - le_util.make_or_verify_dir(CONFIG.CERT_DIR, 0755) + le_util.make_or_verify_dir(CONFIG.CERT_DIR, 0o755) csr_f, self.csr_file = le_util.unique_file( - os.path.join(CONFIG.CERT_DIR, "csr-letsencrypt.pem"), 0644) + os.path.join(CONFIG.CERT_DIR, "csr-letsencrypt.pem"), 0o644) csr_f.write(csr_pem) csr_f.close() logger.info("Creating CSR: %s" % self.csr_file) diff --git a/letsencrypt/client/le_util.py b/letsencrypt/client/le_util.py index 19070858f..5e8f5414b 100644 --- a/letsencrypt/client/le_util.py +++ b/letsencrypt/client/le_util.py @@ -5,7 +5,7 @@ import os import stat -def make_or_verify_dir(directory, mode=0755, uid=0): +def make_or_verify_dir(directory, mode=0o755, uid=0): """Make sure directory exists with proper permissions. :param directory: Path to a directry. @@ -50,7 +50,7 @@ def check_permissions(filepath, mode, uid=0): return stat.S_IMODE(file_stat.st_mode) == mode and file_stat.st_uid == uid -def unique_file(default_name, mode=0777): +def unique_file(default_name, mode=0o777): """Safely finds a unique file for writing only (by default).""" count = 1 f_parsed = os.path.splitext(default_name) diff --git a/letsencrypt/client/le_util_test.py b/letsencrypt/client/le_util_test.py index 30743c24a..926830602 100644 --- a/letsencrypt/client/le_util_test.py +++ b/letsencrypt/client/le_util_test.py @@ -16,7 +16,7 @@ class MakeOrVerifyDirTest(unittest.TestCase): def setUp(self): self.root_path = tempfile.mkdtemp() self.path = os.path.join(self.root_path, 'foo') - os.mkdir(self.path, 0400) + os.mkdir(self.path, 0o400) self.uid = os.getuid() @@ -29,16 +29,16 @@ class MakeOrVerifyDirTest(unittest.TestCase): def test_creates_dir_when_missing(self): path = os.path.join(self.root_path, 'bar') - self._call(path, 0650) + self._call(path, 0o650) self.assertTrue(os.path.isdir(path)) # TODO: check mode def test_existing_correct_mode_does_not_fail(self): - self._call(self.path, 0400) + self._call(self.path, 0o400) # TODO: check mode def test_existing_wrong_mode_fails(self): - self.assertRaises(Exception, self._call, self.path, 0600) + self.assertRaises(Exception, self._call, self.path, 0o600) class CheckPermissionsTest(unittest.TestCase): @@ -61,12 +61,12 @@ class CheckPermissionsTest(unittest.TestCase): return check_permissions(self.path, mode, self.uid) def test_ok_mode(self): - os.chmod(self.path, 0600) - self.assertTrue(self._call(0600)) + os.chmod(self.path, 0o600) + self.assertTrue(self._call(0o600)) def test_wrong_mode(self): - os.chmod(self.path, 0400) - self.assertFalse(self._call(0600)) + os.chmod(self.path, 0o400) + self.assertFalse(self._call(0o600)) # https://en.wikipedia.org/wiki/Base64#Examples diff --git a/letsencrypt/client/nginx_configurator.py b/letsencrypt/client/nginx_configurator.py index 70d775a8b..5ca0ab68c 100644 --- a/letsencrypt/client/nginx_configurator.py +++ b/letsencrypt/client/nginx_configurator.py @@ -174,9 +174,9 @@ class NginxConfigurator(augeas_configurator.AugeasConfigurator): # permissions. Aim for defensive coding... make sure all input files # have permissions of root # """ - # le_util.make_or_verify_dir(CONFIG.CONFIG_DIR, 0755) - # le_util.make_or_verify_dir(CONFIG.WORK_DIR, 0755) - # le_util.make_or_verify_dir(CONFIG.BACKUP_DIR, 0755) + # le_util.make_or_verify_dir(CONFIG.CONFIG_DIR, 0o755) + # le_util.make_or_verify_dir(CONFIG.WORK_DIR, 0o755) + # le_util.make_or_verify_dir(CONFIG.BACKUP_DIR, 0o755) def restart(self, quiet=False): """Restarts nginx server"""