Fixed file-write operation to a public directory

This PR fixes a case of sensitive data exposure by using `mkstemp` method to create `dbus.log` file and a custom `opener` to create `anaconda-tb-all.log`. These two cases required individual fixes due to their differences. Signed-off-by: fazledyn-or <ataf@openrefactory.com>
rhinstaller · Dec 12, 2023 · 2c766b4 · 2c766b4
1 parent 0f76193
commit 2c766b4
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/pyanaconda/anaconda.py b/pyanaconda/anaconda.py
@@ -191,8 +191,11 @@ def dumpState(self):
         os.write(fd, dump_text_bytes)
         os.close(fd)
 
+        def opener(path, flags):
+            return os.open(path, flags, 0o600)
+
         # append to a given file
-        with open("/tmp/anaconda-tb-all.log", "a+") as f:
+        with open("/tmp/anaconda-tb-all.log", "a+", opener=opener) as f:
             f.write("--- traceback: %s ---\n" % filename)
             f.write(dump_text + "\n")
 

diff --git a/pyanaconda/core/startup/dbus_launcher.py b/pyanaconda/core/startup/dbus_launcher.py
@@ -26,6 +26,7 @@
 import os
 import signal
 from subprocess import TimeoutExpired
+from tempfile import mkstemp
 
 from pyanaconda.core.configuration.anaconda import conf
 from pyanaconda.core.util import startProgram
@@ -115,7 +116,9 @@ def dbus_preexec():
             # to set dbus subprocess SIGINT handler
             signal.signal(signal.SIGINT, signal.SIG_IGN)
 
-        self._log_file = open('/tmp/dbus.log', 'a')
+        fd, fname = mkstemp(suffix=".log", prefix="dbus")
+        os.close(fd)
+        self._log_file = open(fname, 'a')
         self._dbus_daemon_process = startProgram(command, stderr=self._log_file, reset_lang=False,
                                                  preexec_fn=dbus_preexec)