certbot.compat.filesystem module

Compat module to handle files security on Windows and Linux

certbot.compat.filesystem.chmod(file_path, mode)[source]
Apply a POSIX mode on given file_path:
  • for Linux, the POSIX mode will be directly applied using chmod,
  • for Windows, the POSIX mode will be translated into a Windows DACL that make sense for Certbot context, and applied to the file using kernel calls.

The definition of the Windows DACL that correspond to a POSIX mode, in the context of Certbot, is explained at https://github.com/certbot/certbot/issues/6356 and is implemented by the method _generate_windows_flags().

Parameters:
  • file_path (str) – Path of the file
  • mode (int) – POSIX mode to apply
certbot.compat.filesystem.copy_ownership_and_apply_mode(src, dst, mode, copy_user, copy_group)[source]

Copy ownership (user and optionally group on Linux) from the source to the destination, then apply given mode in compatible way for Linux and Windows. This replaces the os.chown command. :param str src: Path of the source file :param str dst: Path of the destination file :param int mode: Permission mode to apply on the destination file :param bool copy_user: Copy user if True :param bool copy_group: Copy group if True on Linux (has no effect on Windows)

certbot.compat.filesystem.check_mode(file_path, mode)[source]

Check if the given mode matches the permissions of the given file. On Linux, will make a direct comparison, on Windows, mode will be compared against the security model. :param str file_path: Path of the file :param int mode: POSIX mode to test :rtype: bool :return: True if the POSIX mode matches the file permissions

certbot.compat.filesystem.check_owner(file_path)[source]

Check if given file is owned by current user. :param str file_path: File path to check :rtype: bool :return: True if given file is owned by current user, False otherwise.

certbot.compat.filesystem.check_permissions(file_path, mode)[source]

Check if given file has the given mode and is owned by current user. :param str file_path: File path to check :param int mode: POSIX mode to check :rtype: bool :return: True if file has correct mode and owner, False otherwise.

certbot.compat.filesystem.open(file_path, flags, mode=511)[source]

Wrapper of original os.open function, that will ensure on Windows that given mode is correctly applied. :param str file_path: The file path to open :param int flags: Flags to apply on file while opened :param int mode: POSIX mode to apply on file when opened,

Python defaults will be applied if None
Returns:

the file descriptor to the opened file

Return type:

int

Raise:

OSError(errno.EEXIST) if the file already exists and os.O_CREAT & os.O_EXCL are set, OSError(errno.EACCES) on Windows if the file already exists and is a directory, and

os.O_CREAT is set.

certbot.compat.filesystem.makedirs(file_path, mode=511)[source]

Rewrite of original os.makedirs function, that will ensure on Windows that given mode is correctly applied. :param str file_path: The file path to open :param int mode: POSIX mode to apply on leaf directory when created, Python defaults

will be applied if None
certbot.compat.filesystem.mkdir(file_path, mode=511)[source]

Rewrite of original os.mkdir function, that will ensure on Windows that given mode is correctly applied. :param str file_path: The file path to open :param int mode: POSIX mode to apply on directory when created, Python defaults

will be applied if None
certbot.compat.filesystem.replace(src, dst)[source]

Rename a file to a destination path and handles situations where the destination exists. :param str src: The current file path. :param str dst: The new file path.

certbot.compat.filesystem.realpath(file_path)[source]

Find the real path for the given path. This method resolves symlinks, including recursive symlinks, and is protected against symlinks that creates an infinite loop.

certbot.compat.filesystem.is_executable(path)[source]

Is path an executable file? :param str path: path to test :return: True if path is an executable file :rtype: bool

certbot.compat.filesystem.has_world_permissions(path)[source]

Check if everybody/world has any right (read/write/execute) on a file given its path :param str path: path to test :return: True if everybody/world has any right to the file :rtype: bool

certbot.compat.filesystem.compute_private_key_mode(old_key, base_mode)[source]

Calculate the POSIX mode to apply to a private key given the previous private key :param str old_key: path to the previous private key :param int base_mode: the minimum modes to apply to a private key :return: the POSIX mode to apply :rtype: int

certbot.compat.filesystem.has_same_ownership(path1, path2)[source]

Return True if the ownership of two files given their respective path is the same. On Windows, ownership is checked against owner only, since files do not have a group owner. :param str path1: path to the first file :param str path2: path to the second file :return: True if both files have the same ownership, False otherwise :rtype: bool

certbot.compat.filesystem.has_min_permissions(path, min_mode)[source]

Check if a file given its path has at least the permissions defined by the given minimal mode. On Windows, group permissions are ignored since files do not have a group owner. :param str path: path to the file to check :param int min_mode: the minimal permissions expected :return: True if the file matches the minimal permissions expectations, False otherwise :rtype: bool