Fixed file-write operation to a public directory

This PR fixes a case of sensitive data exposure by using the existing helped method `open_with_perm`. Signed-off-by: fazledyn-or <[email protected]>
rhinstaller · Jan 3, 2024 · 2006c74 · 2006c74
1 parent 0f76193
commit 2006c74
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/pyanaconda/anaconda.py b/pyanaconda/anaconda.py
@@ -27,6 +27,7 @@
 from pyanaconda.core import constants
 from pyanaconda.core.startup.dbus_launcher import AnacondaDBusLauncher
 from pyanaconda.core.kernel import kernel_arguments
+from pyanaconda.core.path import open_with_perm
 from pyanaconda.modules.common.constants.services import PAYLOADS
 from pyanaconda.ui.lib.addons import collect_addon_ui_paths
 
@@ -192,7 +193,7 @@ def dumpState(self):
         os.close(fd)
 
         # append to a given file
-        with open("/tmp/anaconda-tb-all.log", "a+") as f:
+        with open_with_perm("/tmp/anaconda-tb-all.log", "a+", 0o600) as f:
             f.write("--- traceback: %s ---\n" % filename)
             f.write(dump_text + "\n")
 

diff --git a/pyanaconda/core/startup/dbus_launcher.py b/pyanaconda/core/startup/dbus_launcher.py
@@ -26,6 +26,7 @@
 import os
 import signal
 from subprocess import TimeoutExpired
+from tempfile import mkstemp
 
 from pyanaconda.core.configuration.anaconda import conf
 from pyanaconda.core.util import startProgram
@@ -115,7 +116,9 @@ def dbus_preexec():
             # to set dbus subprocess SIGINT handler
             signal.signal(signal.SIGINT, signal.SIG_IGN)
 
-        self._log_file = open('/tmp/dbus.log', 'a')
+        fd, fname = mkstemp(suffix=".log", prefix="dbus")
+        os.close(fd)
+        self._log_file = open(fname, 'a')
         self._dbus_daemon_process = startProgram(command, stderr=self._log_file, reset_lang=False,
                                                  preexec_fn=dbus_preexec)