3

I am using tempfile.mkstemp to generate a random available filename and write some content with os.fdopen. I then pass the filename to a task via celery.

This task opens the file, processes the content, and finally removes the file. In testing this works fine, however I have realised that this will break in my live environment where the user running the task is not the same as the one which creates the file.

This means that the user cannot open the file because tempfile.mkstemp sets the permissions to 600(-rw-------).

I cannot make both processes run by the same user, so is there some way to modify the file permissions set by tempfile.mkstemp?

I am running Python 3.6 on Ubuntu 14.04.

PyPingu
  • 1,697
  • 1
  • 8
  • 21
  • I would encourage you to [read the documentation](https://docs.python.org/3/library/tempfile.html#tempfile.mkstemp) first when you have a question. Then, come to StackOverflow. – robobrobro Jun 27 '18 at 13:16
  • @robobrobro I appreciate your point, but I did read that documentation, and I couldn't see anything explicitly stated regarding the file permissions – PyPingu Jun 27 '18 at 13:17
  • "The file is readable and writable only by the creating user ID. If the platform uses permission bits to indicate whether a file is executable, the file is executable by no one." – robobrobro Jun 27 '18 at 13:26
  • Ah fair enough. Although I don't think it's clear whether that can be altered? Looks like the only way may be `os.chmod` – PyPingu Jun 27 '18 at 13:29

2 Answers2

4

Given that you use os.fdopen after you call mkstemp(), you may be better off using tempfile.NamedTemporaryFile(delete=False). It returns a Python file object instead of an fd.

Either way, the returned file will have mode=0600, so you will need to change it. Use os.fchmod(temp_file.fileno(), 0640) or similar (change the mode as per your needs).

Leo K
  • 5,189
  • 3
  • 12
  • 27
3

No, apart from manually modyfing permissions using chmod command, there is no way to modify permissions of file created by tempfile.mkstemp. This function by design creates temporary file in the most secure manner possible so the file is readable and writable only by the creating user ID. See mkstemp documentation.

Create your temporary file using tempfile.TemporaryFile or tempfile.NamedTemporaryFile instead.

running.t
  • 5,329
  • 3
  • 32
  • 50
  • Ok, I thought this may be the case, do you think it is better to use `tempfile.NamedTemporaryFile` or to use `os.fchmod` on the `mkstemp` file? – PyPingu Jun 27 '18 at 13:14
  • I would use `NamedTemporaryFile`. Looking at your use case you actually don't need *secure* temporary file. So there's no point in using `tempfile.mkstemp` – running.t Jun 27 '18 at 13:16
  • 1
    NamedTemporaryFile is as secure as tempfile.mkstemp - they use the same code internally. Call NamedTemporaryFile(delete=False) to get the mkstemp() behavior, plus a python file object (which you need anyway). – Leo K Jun 27 '18 at 13:19
  • It does seems as though `NamedTemporaryFile` also creates files with the `0600` permissions mode – PyPingu Jun 27 '18 at 13:26
  • You're right. All three `mkstemp`, `TemporaryFile`, and `NamedTemporaryFile` use actually the same internal function for creating files. And `006` mode is hardcoded there. [Here](https://stackoverflow.com/questions/10541760/can-i-set-the-umask-for-tempfile-namedtemporaryfile-in-python) you can find some workarround – running.t Jun 27 '18 at 14:00