Fix #258 - Always set export file permissions to 644

Co-authored-by: Troy Boudreau <tboudreau@us.ntt.net>
irrdnet · Oct 1, 2019 · 74c2fcb · 74c2fcb
1 parent 4a20ea0
commit 74c2fcb
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/docs/admins/configuration.rst b/docs/admins/configuration.rst
@@ -293,7 +293,7 @@ Sources
   gzipped. If there is no serial information available (i.e. the journal is
   empty) no serial file is produced. If the database is entirely empty, an error
   is logged and no files are exported. This directory needs to exist already,
-  IRRd will not create it.
+  IRRd will not create it. File permissions are always set to ``644``.
   |br| **Default**: not defined, no exports made.
   |br| **Change takes effect**: after SIGHUP, at the next ``export_timer``.
 * ``sources.{name}.export_timer``: the time between two full exports of all

diff --git a/irrd/mirroring/mirror_runners_export.py b/irrd/mirroring/mirror_runners_export.py
@@ -11,6 +11,8 @@
 from irrd.storage.queries import RPSLDatabaseQuery, DatabaseStatusQuery
 from irrd.utils.text import remove_auth_hashes
 
+EXPORT_PERMISSIONS = 0o644
+
 logger = logging.getLogger(__name__)
 
 
@@ -61,6 +63,7 @@ def _export(self, export_destination):
                 object_bytes = remove_auth_hashes(obj['object_text']).encode('utf-8')
                 fh.write(object_bytes + b'\n')
 
+        os.chmod(export_tmpfile.name, EXPORT_PERMISSIONS)
         if filename_export.exists():
             os.unlink(filename_export)
         if filename_serial.exists():
@@ -70,6 +73,7 @@ def _export(self, export_destination):
         if serial is not None:
             with open(filename_serial, 'w') as fh:
                 fh.write(str(serial))
+            os.chmod(filename_serial, EXPORT_PERMISSIONS)
 
         self.database_handler.record_serial_exported(self.source, serial)
         logger.info(f'Export for {self.source} complete, stored in {filename_export} / {filename_serial}')
diff --git a/irrd/mirroring/tests/test_mirror_runners_export.py b/irrd/mirroring/tests/test_mirror_runners_export.py
@@ -1,9 +1,10 @@
+import os
 from itertools import cycle, repeat
 
 import gzip
 from unittest.mock import Mock
 
-from irrd.mirroring.mirror_runners_export import SourceExportRunner
+from irrd.mirroring.mirror_runners_export import SourceExportRunner, EXPORT_PERMISSIONS
 from irrd.utils.test_utils import flatten_mock_calls
 
 
@@ -39,10 +40,14 @@ def test_export(self, tmpdir, config_override, monkeypatch, caplog):
         runner.run()
         runner.run()
 
-        with open(tmpdir + '/TEST.CURRENTSERIAL') as fh:
+        serial_filename = tmpdir + '/TEST.CURRENTSERIAL'
+        assert oct(os.lstat(serial_filename).st_mode)[-3:] == oct(EXPORT_PERMISSIONS)[-3:]
+        with open(serial_filename) as fh:
             assert fh.read() == '424242'
 
-        with gzip.open(tmpdir + '/test.db.gz') as fh:
+        export_filename = tmpdir + '/test.db.gz'
+        assert oct(os.lstat(export_filename).st_mode)[-3:] == oct(EXPORT_PERMISSIONS)[-3:]
+        with gzip.open(export_filename) as fh:
             assert fh.read().decode('utf-8') == 'object 1 🦄\nauth: CRYPT-PW DummyValue  # Filtered for security\n\n' \
                                                 'object 2 🌈\n\n'