Change permissions of config/password files created by airflow (#29495)

The permissions for files created by airflow when creating config and standalone files are now only limited to the owner. (cherry picked from commit b2ecaf9)
apache · Mar 8, 2023 · c439634 · c439634
1 parent 7928e89
commit c439634
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/airflow/cli/commands/standalone_command.py b/airflow/cli/commands/standalone_command.py
@@ -27,7 +27,7 @@
 
 from termcolor import colored
 
-from airflow.configuration import AIRFLOW_HOME, conf
+from airflow.configuration import AIRFLOW_HOME, conf, make_group_other_inaccessible
 from airflow.executors import executor_constants
 from airflow.jobs.scheduler_job import SchedulerJob
 from airflow.jobs.triggerer_job import TriggererJob
@@ -194,6 +194,7 @@ def initialize_database(self):
             )
             with open(password_path, "w") as file:
                 file.write(password)
+            make_group_other_inaccessible(password_path)
             appbuilder.sm.add_user("admin", "Admin", "User", "admin@example.com", role, password)
             self.print_output("standalone", "Created admin user")
         # If the user does exist and we know its password, read the password

diff --git a/airflow/configuration.py b/airflow/configuration.py
@@ -25,6 +25,7 @@
 import pathlib
 import re
 import shlex
+import stat
 import subprocess
 import sys
 import warnings
@@ -1482,6 +1483,7 @@ def initialize_config() -> AirflowConfigParser:
             with open(TEST_CONFIG_FILE, "w") as file:
                 cfg = _parameterized_config_from_template("default_test.cfg")
                 file.write(cfg)
+            make_group_other_inaccessible(TEST_CONFIG_FILE)
 
         local_conf.load_test_config()
     else:
@@ -1496,6 +1498,7 @@ def initialize_config() -> AirflowConfigParser:
 
             with open(AIRFLOW_CONFIG, "w") as file:
                 file.write(default_config)
+            make_group_other_inaccessible(AIRFLOW_CONFIG)
 
         log.info("Reading the config from %s", AIRFLOW_CONFIG)
 
@@ -1538,6 +1541,18 @@ def initialize_config() -> AirflowConfigParser:
     return local_conf
 
 
+def make_group_other_inaccessible(file_path: str):
+    try:
+        permissions = os.stat(file_path)
+        os.chmod(file_path, permissions.st_mode & (stat.S_IRUSR | stat.S_IWUSR))
+    except Exception as e:
+        log.warning(
+            "Could not change permissions of config file to be group/other inaccessible. "
+            "Continuing with original permissions:",
+            e,
+        )
+
+
 # Historical convenience functions to access config entries
 def load_test_config():
     """Historical load_test_config."""