certbot.compat.filesystem module¶

Compat module to handle files security on Windows and Linux

certbot.compat.filesystem.chmod(file_path: str, mode: int) → None[source]¶

Apply a POSIX mode on given file_path:

for Linux, the POSIX mode will be directly applied using chmod,

for Windows, the POSIX mode will be translated into a Windows DACL that make sense for Certbot context, and applied to the file using kernel calls.

The definition of the Windows DACL that correspond to a POSIX mode, in the context of Certbot, is explained at https://github.com/certbot/certbot/issues/6356 and is implemented by the method _generate_windows_flags().

Parameters

file_path (str) – Path of the file
mode (int) – POSIX mode to apply

certbot.compat.filesystem.umask(mask: int) → int[source]¶

Set the current numeric umask and return the previous umask. On Linux, the built-in umask method is used. On Windows, our Certbot-side implementation is used.

Parameters: mask (int) – The user file-creation mode mask to apply.
Return type: int
Returns: The previous umask value.

certbot.compat.filesystem.temp_umask(mask: int) → Generator[None, None, None][source]¶

Apply a umask temporarily, meant to be used in a with block. Uses the Certbot implementation of umask.

Parameters: mask (int) – The user file-creation mode mask to apply temporarily

certbot.compat.filesystem.copy_ownership_and_apply_mode(src: str, dst: str, mode: int, copy_user: bool, copy_group: bool) → None[source]¶

Copy ownership (user and optionally group on Linux) from the source to the destination, then apply given mode in compatible way for Linux and Windows. This replaces the os.chown command.

Parameters

src (str) – Path of the source file
dst (str) – Path of the destination file
mode (int) – Permission mode to apply on the destination file
copy_user (bool) – Copy user if True
copy_group (bool) – Copy group if True on Linux (has no effect on Windows)

certbot.compat.filesystem.copy_ownership_and_mode(src: str, dst: str, copy_user: bool = True, copy_group: bool = True) → None[source]¶

Copy ownership (user and optionally group on Linux) and mode/DACL from the source to the destination.

Parameters

src (str) – Path of the source file
dst (str) – Path of the destination file
copy_user (bool) – Copy user if True
copy_group (bool) – Copy group if True on Linux (has no effect on Windows)

certbot.compat.filesystem.check_mode(file_path: str, mode: int) → bool[source]¶

Check if the given mode matches the permissions of the given file. On Linux, will make a direct comparison, on Windows, mode will be compared against the security model.

Parameters

file_path (str) – Path of the file
mode (int) – POSIX mode to test

Return type

bool

Returns

True if the POSIX mode matches the file permissions

certbot.compat.filesystem.check_owner(file_path: str) → bool[source]¶

Check if given file is owned by current user.

Parameters: file_path (str) – File path to check
Return type: bool
Returns: True if given file is owned by current user, False otherwise.

certbot.compat.filesystem.check_permissions(file_path: str, mode: int) → bool[source]¶

Check if given file has the given mode and is owned by current user.

Parameters

file_path (str) – File path to check
mode (int) – POSIX mode to check

Return type

bool

Returns

True if file has correct mode and owner, False otherwise.

certbot.compat.filesystem.open(file_path: str, flags: int, mode: int = 511) → int[source]¶

Wrapper of original os.open function, that will ensure on Windows that given mode is correctly applied.

Parameters

file_path (str) – The file path to open
flags (int) – Flags to apply on file while opened
mode (int) – POSIX mode to apply on file when opened, Python defaults will be applied if None

Returns

the file descriptor to the opened file

Return type

int

Raise

OSError(errno.EEXIST) if the file already exists and os.O_CREAT & os.O_EXCL are set, OSError(errno.EACCES) on Windows if the file already exists and is a directory, and os.O_CREAT is set.

certbot.compat.filesystem.makedirs(file_path: str, mode: int = 511) → None[source]¶

Rewrite of original os.makedirs function, that will ensure on Windows that given mode is correctly applied.

Parameters

file_path (str) – The file path to open
mode (int) – POSIX mode to apply on leaf directory when created, Python defaults will be applied if None

certbot.compat.filesystem.mkdir(file_path: str, mode: int = 511) → None[source]¶

Rewrite of original os.mkdir function, that will ensure on Windows that given mode is correctly applied.

Parameters

file_path (str) – The file path to open
mode (int) – POSIX mode to apply on directory when created, Python defaults will be applied if None

certbot.compat.filesystem.replace(src: str, dst: str) → None[source]¶

Rename a file to a destination path and handles situations where the destination exists.

Parameters

src (str) – The current file path.
dst (str) – The new file path.

certbot.compat.filesystem.realpath(file_path: str) → str[source]¶

Find the real path for the given path. This method resolves symlinks, including recursive symlinks, and is protected against symlinks that creates an infinite loop.

Parameters: file_path (str) – The path to resolve
Returns: The real path for the given path
Return type: str

certbot.compat.filesystem.readlink(link_path: str) → str[source]¶

Return a string representing the path to which the symbolic link points.

Parameters: link_path (str) – The symlink path to resolve
Returns: The path the symlink points to
Returns: str
Raise: ValueError if a long path (260> characters) is encountered on Windows

certbot.compat.filesystem.is_executable(path: str) → bool[source]¶

Is path an executable file?

Parameters: path (str) – path to test
Returns: True if path is an executable file
Return type: bool

certbot.compat.filesystem.has_world_permissions(path: str) → bool[source]¶

Check if everybody/world has any right (read/write/execute) on a file given its path.

Parameters: path (str) – path to test
Returns: True if everybody/world has any right to the file
Return type: bool

certbot.compat.filesystem.compute_private_key_mode(old_key: str, base_mode: int) → int[source]¶

Calculate the POSIX mode to apply to a private key given the previous private key.

Parameters

old_key (str) – path to the previous private key
base_mode (int) – the minimum modes to apply to a private key

Returns

the POSIX mode to apply

Return type

int

certbot.compat.filesystem.has_same_ownership(path1: str, path2: str) → bool[source]¶

Return True if the ownership of two files given their respective path is the same. On Windows, ownership is checked against owner only, since files do not have a group owner.

Parameters

path1 (str) – path to the first file
path2 (str) – path to the second file

Returns

True if both files have the same ownership, False otherwise

Return type

bool

certbot.compat.filesystem.has_min_permissions(path: str, min_mode: int) → bool[source]¶

Check if a file given its path has at least the permissions defined by the given minimal mode. On Windows, group permissions are ignored since files do not have a group owner.

Parameters

path (str) – path to the file to check
min_mode (int) – the minimal permissions expected

Returns

True if the file matches the minimal permissions expectations, False otherwise

Return type

bool