certbot.compat.filesystem module

Compat module to handle files security on Windows and Linux

certbot.compat.filesystem.chmod(file_path, mode)[source]

Apply a POSIX mode on given file_path:

  • for Linux, the POSIX mode will be directly applied using chmod,
  • for Windows, the POSIX mode will be translated into a Windows DACL that make sense for Certbot context, and applied to the file using kernel calls.

The definition of the Windows DACL that correspond to a POSIX mode, in the context of Certbot, is explained at https://github.com/certbot/certbot/issues/6356 and is implemented by the method _generate_windows_flags().

Parameters:
  • file_path (str) – Path of the file
  • mode (int) – POSIX mode to apply
certbot.compat.filesystem.umask(mask)[source]

Set the current numeric umask and return the previous umask. On Linux, the built-in umask method is used. On Windows, our Certbot-side implementation is used.

Parameters:mask (int) – The user file-creation mode mask to apply.
Return type:int
Returns:The previous umask value.
certbot.compat.filesystem.copy_ownership_and_apply_mode(src, dst, mode, copy_user, copy_group)[source]

Copy ownership (user and optionally group on Linux) from the source to the destination, then apply given mode in compatible way for Linux and Windows. This replaces the os.chown command.

Parameters:
  • src (str) – Path of the source file
  • dst (str) – Path of the destination file
  • mode (int) – Permission mode to apply on the destination file
  • copy_user (bool) – Copy user if True
  • copy_group (bool) – Copy group if True on Linux (has no effect on Windows)
certbot.compat.filesystem.copy_ownership_and_mode(src, dst, copy_user=True, copy_group=True)[source]

Copy ownership (user and optionally group on Linux) and mode/DACL from the source to the destination.

Parameters:
  • src (str) – Path of the source file
  • dst (str) – Path of the destination file
  • copy_user (bool) – Copy user if True
  • copy_group (bool) – Copy group if True on Linux (has no effect on Windows)
certbot.compat.filesystem.check_mode(file_path, mode)[source]

Check if the given mode matches the permissions of the given file. On Linux, will make a direct comparison, on Windows, mode will be compared against the security model.

Parameters:
  • file_path (str) – Path of the file
  • mode (int) – POSIX mode to test
Return type:

bool

Returns:

True if the POSIX mode matches the file permissions

certbot.compat.filesystem.check_owner(file_path)[source]

Check if given file is owned by current user.

Parameters:file_path (str) – File path to check
Return type:bool
Returns:True if given file is owned by current user, False otherwise.
certbot.compat.filesystem.check_permissions(file_path, mode)[source]

Check if given file has the given mode and is owned by current user.

Parameters:
  • file_path (str) – File path to check
  • mode (int) – POSIX mode to check
Return type:

bool

Returns:

True if file has correct mode and owner, False otherwise.

certbot.compat.filesystem.open(file_path, flags, mode=511)[source]

Wrapper of original os.open function, that will ensure on Windows that given mode is correctly applied.

Parameters:
  • file_path (str) – The file path to open
  • flags (int) – Flags to apply on file while opened
  • mode (int) – POSIX mode to apply on file when opened, Python defaults will be applied if None
Returns:

the file descriptor to the opened file

Return type:

int

Raise:

OSError(errno.EEXIST) if the file already exists and os.O_CREAT & os.O_EXCL are set, OSError(errno.EACCES) on Windows if the file already exists and is a directory, and os.O_CREAT is set.

certbot.compat.filesystem.makedirs(file_path, mode=511)[source]

Rewrite of original os.makedirs function, that will ensure on Windows that given mode is correctly applied.

Parameters:
  • file_path (str) – The file path to open
  • mode (int) – POSIX mode to apply on leaf directory when created, Python defaults will be applied if None
certbot.compat.filesystem.mkdir(file_path, mode=511)[source]

Rewrite of original os.mkdir function, that will ensure on Windows that given mode is correctly applied.

Parameters:
  • file_path (str) – The file path to open
  • mode (int) – POSIX mode to apply on directory when created, Python defaults will be applied if None
certbot.compat.filesystem.replace(src, dst)[source]

Rename a file to a destination path and handles situations where the destination exists.

Parameters:
  • src (str) – The current file path.
  • dst (str) – The new file path.
certbot.compat.filesystem.realpath(file_path)[source]

Find the real path for the given path. This method resolves symlinks, including recursive symlinks, and is protected against symlinks that creates an infinite loop.

Parameters:file_path (str) – The path to resolve
Returns:The real path for the given path
Return type:str
certbot.compat.filesystem.is_executable(path)[source]

Is path an executable file?

Parameters:path (str) – path to test
Returns:True if path is an executable file
Return type:bool
certbot.compat.filesystem.has_world_permissions(path)[source]

Check if everybody/world has any right (read/write/execute) on a file given its path.

Parameters:path (str) – path to test
Returns:True if everybody/world has any right to the file
Return type:bool
certbot.compat.filesystem.compute_private_key_mode(old_key, base_mode)[source]

Calculate the POSIX mode to apply to a private key given the previous private key.

Parameters:
  • old_key (str) – path to the previous private key
  • base_mode (int) – the minimum modes to apply to a private key
Returns:

the POSIX mode to apply

Return type:

int

certbot.compat.filesystem.has_same_ownership(path1, path2)[source]

Return True if the ownership of two files given their respective path is the same. On Windows, ownership is checked against owner only, since files do not have a group owner.

Parameters:
  • path1 (str) – path to the first file
  • path2 (str) – path to the second file
Returns:

True if both files have the same ownership, False otherwise

Return type:

bool

certbot.compat.filesystem.has_min_permissions(path, min_mode)[source]

Check if a file given its path has at least the permissions defined by the given minimal mode. On Windows, group permissions are ignored since files do not have a group owner.

Parameters:
  • path (str) – path to the file to check
  • min_mode (int) – the minimal permissions expected
Returns:

True if the file matches the minimal permissions expectations, False otherwise

Return type:

bool