New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement secure temporary file handling #1085
Comments
I'd love to see this implemented, as it can a pretty big security hole in my opinion (depending on use-case). FWIW, I tried implementing a similar feature against pyinfra 2.4 a couple years ago, but didn't have time to polish it for upstreaming - I might pick it back up and post a PR. One notable issue I ran into was that using Edit: somehow I missed the fact that |
Good point about using unprivileged users with |
Is your feature request related to a problem? Please describe
I have noticed that the temporary files created by pyinfra are world-readable and often have a predictable name. For example, when using
pyinfra.operations.server.script()
, the uploaded script is stored in the temporary directory with permission bits set to 755. This has security implications if the script contains sensitive information. Another example would bepyinfra.operations.apt.deb()
which downloads data and stores it in a temporary file with a predictable name (SHA-1 hash of the download URL). In this example, a malicious actor could simply place a Debian package with the same name in the temporary directory, and because the internal call topyinfra.operations.files.download()
does not use theforce
parameter, the malicious actor's Debian package would be installed.Describe the solution you'd like
In my opinion, the most robust solution would be to store all temporary deploy files in a secure temporary directory managed by pyinfra. I have addressed the issue in pyinfra 3.0b0 using a config file (
config.py
) that looks as follows:With this approach, pyinfra creates a temporary directory with a random name and permission bits set to 700 (
/tmp
is used statically because I don't require$TMPDIR
evaluation). All temporary file/directory paths generated by pyinfra are scoped to this directory. The temporary directory is created when needed during the execution stage to prevent needless creation of temporary directories. If an SFTP upload is executed with an unprivileged user, an additional temporary directory for that user is created. In addition, all arguments passed topyinfra.api.host.Host.get_temp_filename()
are ignored, because the returned path should always be random to prevent collisions.The text was updated successfully, but these errors were encountered: