From 5ad58804af885db3eb7a78bea5000c401eeeb70e Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Sun, 21 Jan 2024 02:30:33 +0900
Subject: [PATCH] Restrict access to local storlet/dependency files

Now swift and storlet daemon inside containers run with consistent uid
so we don't need group/other permissions.

Also chown should be executed before actual file content is written,
so that the content is not read by a different user.

Closes-Bug: #2047723
Change-Id: I7790e51556875be1fc6438d1e2c599b693ca3b5b
---
 storlets/gateway/gateways/docker/gateway.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/storlets/gateway/gateways/docker/gateway.py b/storlets/gateway/gateways/docker/gateway.py
index e3663b3b..a4ff55a8 100644
--- a/storlets/gateway/gateways/docker/gateway.py
+++ b/storlets/gateway/gateways/docker/gateway.py
@@ -279,7 +279,7 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
             get_func = sreq.file_manager.get_dependency
 
         if not os.path.exists(cache_dir):
-            os.makedirs(cache_dir, 0o755)
+            os.makedirs(cache_dir, 0o700)
 
         # cache_target_path is the actual object we need to deal with
         # e.g. a concrete storlet or dependency we need to bring/update
@@ -312,16 +312,17 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
             # bring the object from storge
             data_iter, perm = get_func(obj_name)
 
+            if perm:
+                perm = int(perm, 8) & 0o700
+            else:
+                perm = 0o600
+
             # TODO(takashi): Do not directly write to target path
             with open(cache_target_path, 'wb') as fn:
+                os.chmod(cache_target_path, perm)
                 for data in data_iter:
                     fn.write(data)
 
-            if not is_storlet:
-                if not perm:
-                    perm = '0600'
-                os.chmod(cache_target_path, int(perm, 8))
-
         # The node's local cache is now updated.
         # We now verify if we need to update the
         # Docker container itself.
@@ -334,7 +335,7 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
         docker_target_path = os.path.join(docker_storlet_path, obj_name)
 
         if not os.path.exists(docker_storlet_path):
-            os.makedirs(docker_storlet_path, 0o755)
+            os.makedirs(docker_storlet_path, 0o700)
             update_docker = True
         elif not os.path.isfile(docker_target_path):
             update_docker = True