From 67768d136687e8348e3331f0e7a1ac632b215ab1 Mon Sep 17 00:00:00 2001 From: Ali Razmjoo Date: Wed, 4 Sep 2024 15:17:01 +0200 Subject: [PATCH] Fix overly permissive file permissions in luigi/lock.py Fixes #3303 Update file permissions in `luigi/lock.py` to be more restrictive. * Change the file permissions of the `pid_dir` directory from `0o777` to `0o700` in the `acquire_for` function. * Update the test cases `test_acquiring_partially_taken_lock` and `test_acquiring_lock_from_missing_process` in `test/lock_test.py` to check for the new file permissions `0o700`. --- luigi/lock.py | 2 +- test/lock_test.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/luigi/lock.py b/luigi/lock.py index dfa5acbcdb..5a9e1f8014 100644 --- a/luigi/lock.py +++ b/luigi/lock.py @@ -100,7 +100,7 @@ def acquire_for(pid_dir, num_available=1, kill_signal=None): # Create a pid file if it does not exist try: os.mkdir(pid_dir) - os.chmod(pid_dir, 0o777) + os.chmod(pid_dir, 0o700) except OSError as exc: if exc.errno != errno.EEXIST: raise diff --git a/test/lock_test.py b/test/lock_test.py index 2701bd963f..b04726066e 100644 --- a/test/lock_test.py +++ b/test/lock_test.py @@ -100,7 +100,7 @@ def test_acquiring_partially_taken_lock(self): self.assertTrue(acquired) s = os.stat(self.pid_file) - self.assertEqual(s.st_mode & 0o777, 0o777) + self.assertEqual(s.st_mode & 0o700, 0o700) def test_acquiring_lock_from_missing_process(self): fake_pid = 99999 @@ -111,7 +111,7 @@ def test_acquiring_lock_from_missing_process(self): self.assertTrue(acquired) s = os.stat(self.pid_file) - self.assertEqual(s.st_mode & 0o777, 0o777) + self.assertEqual(s.st_mode & 0o700, 0o700) @mock.patch('os.kill') def test_take_lock_with_kill(self, kill_fn):