*: Minimize file and directory permissions (pingcap#31740)

ref pingcap#31310
DarvenDuan · Jan 22, 2022 · 7f44207 · 7f44207
1 parent 5af13e8
commit 7f44207
Show file tree

Hide file tree

Showing 10 changed files with 13 additions and 12 deletions.
diff --git a/br/cmd/tidb-lightning-ctl/main.go b/br/cmd/tidb-lightning-ctl/main.go
@@ -254,7 +254,7 @@ func checkpointDump(ctx context.Context, cfg *config.Config, dumpFolder string)
 	}
 	defer cpdb.Close()
 
-	if err := os.MkdirAll(dumpFolder, 0o755); err != nil {
+	if err := os.MkdirAll(dumpFolder, 0o750); err != nil {
 		return errors.Trace(err)
 	}
 

diff --git a/br/pkg/lightning/backend/local/local.go b/br/pkg/lightning/backend/local/local.go
@@ -592,7 +592,7 @@ func (local *local) OpenEngine(ctx context.Context, cfg *backend.EngineConfig, e
 		return errors.Trace(err)
 	}
 	if !common.IsDirExists(sstDir) {
-		if err := os.Mkdir(sstDir, 0o755); err != nil {
+		if err := os.Mkdir(sstDir, 0o750); err != nil {
 			return errors.Trace(err)
 		}
 	}
@@ -1526,7 +1526,7 @@ func (local *local) ResetEngine(ctx context.Context, engineUUID uuid.UUID) error
 		localEngine.db = db
 		localEngine.engineMeta = engineMeta{}
 		if !common.IsDirExists(localEngine.sstDir) {
-			if err := os.Mkdir(localEngine.sstDir, 0o755); err != nil {
+			if err := os.Mkdir(localEngine.sstDir, 0o750); err != nil {
 				return errors.Trace(err)
 			}
 		}

diff --git a/br/pkg/lightning/checkpoints/checkpoints.go b/br/pkg/lightning/checkpoints/checkpoints.go
@@ -990,7 +990,7 @@ func (cpdb *FileCheckpointsDB) save() error {
 	// because `os.WriteFile` is not atomic, directly write into it may reset the file
 	// to an empty file if write is not finished.
 	tmpPath := cpdb.path + ".tmp"
-	if err := os.WriteFile(tmpPath, serialized, 0o644); err != nil { // nolint:gosec
+	if err := os.WriteFile(tmpPath, serialized, 0o600); err != nil {
 		return errors.Trace(err)
 	}
 	if err := os.Rename(tmpPath, cpdb.path); err != nil {

diff --git a/cmd/pluginpkg/pluginpkg.go b/cmd/pluginpkg/pluginpkg.go
@@ -126,7 +126,7 @@ func main() {
 	}
 
 	genFileName := filepath.Join(pkgDir, filepath.Base(pkgDir)+".gen.go")
-	genFile, err := os.OpenFile(genFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755)
+	genFile, err := os.OpenFile(genFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0700) // # nosec G302
 	if err != nil {
 		log.Printf("generate code failure during prepare output file, %+v\n", err)
 		os.Exit(1)

diff --git a/executor/select_into.go b/executor/select_into.go
@@ -52,7 +52,8 @@ func (s *SelectIntoExec) Open(ctx context.Context) error {
 		return errors.New("unsupported SelectInto type")
 	}
 
-	f, err := os.OpenFile(s.intoOpt.FileName, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
+	// MySQL-compatible behavior: allow files to be group-readable
+	f, err := os.OpenFile(s.intoOpt.FileName, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0640) // # nosec G302
 	if err != nil {
 		return errors.Trace(err)
 	}

diff --git a/parser/goyacc/main.go b/parser/goyacc/main.go
@@ -324,7 +324,7 @@ func main1(in string) (err error) {
 	}
 
 	if fn := *oXErrorsGen; fn != "" {
-		f, err := os.OpenFile(fn, os.O_RDWR|os.O_CREATE, 0666)
+		f, err := os.OpenFile(fn, os.O_RDWR|os.O_CREATE, 0600)
 		if err != nil {
 			return err
 		}

diff --git a/store/mockstore/unistore/lockstore/load_dump.go b/store/mockstore/unistore/lockstore/load_dump.go
@@ -96,7 +96,7 @@ func (ls *MemStore) writeItem(writer *bufio.Writer, data []byte) error {
 // DumpToFile dumps the meta to a file
 func (ls *MemStore) DumpToFile(fileName string, meta []byte) error {
 	tmpFileName := fileName + ".tmp"
-	f, err := os.OpenFile(tmpFileName, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0666)
+	f, err := os.OpenFile(tmpFileName, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0600)
 	if err != nil {
 		return errors.Trace(err)
 	}

diff --git a/store/mockstore/unistore/mock.go b/store/mockstore/unistore/mock.go
@@ -34,7 +34,7 @@ func New(path string) (*RPCClient, pd.Client, *Cluster, error) {
 		persistent = false
 	}
 
-	if err := os.MkdirAll(path, 0777); err != nil {
+	if err := os.MkdirAll(path, 0750); err != nil {
 		return nil, nil, nil, err
 	}
 

diff --git a/store/mockstore/unistore/tikv/mvcc.go b/store/mockstore/unistore/tikv/mvcc.go
@@ -122,7 +122,7 @@ type lockEntryHdr struct {
 
 func (store *MVCCStore) dumpMemLocks() error {
 	tmpFileName := store.dir + "/lock_store.tmp"
-	f, err := os.OpenFile(tmpFileName, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0666)
+	f, err := os.OpenFile(tmpFileName, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0600)
 	if err != nil {
 		return errors.Trace(err)
 	}

diff --git a/util/disk/tempDir.go b/util/disk/tempDir.go
@@ -64,7 +64,7 @@ func InitializeTempDir() error {
 	tempDir := config.GetGlobalConfig().TempStoragePath
 	_, err := os.Stat(tempDir)
 	if err != nil && !os.IsExist(err) {
-		err = os.MkdirAll(tempDir, 0755)
+		err = os.MkdirAll(tempDir, 0750)
 		if err != nil {
 			return err
 		}
@@ -118,7 +118,7 @@ func CleanUp() {
 func CheckAndCreateDir(path string) error {
 	_, err := os.Stat(path)
 	if err != nil && !os.IsExist(err) {
-		err = os.MkdirAll(path, 0755)
+		err = os.MkdirAll(path, 0750)
 		if err != nil {
 			return err
 		}