chmod the storage to 600 after opening it.

tonyandrewmeyer · Nov 7, 2023 · 02ec57f · 02ec57f
1 parent bc8a5f7
commit 02ec57f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/ops/storage.py b/ops/storage.py
@@ -18,6 +18,7 @@
 import pickle
 import shutil
 import sqlite3
+import stat
 import subprocess
 from datetime import timedelta
 from pathlib import Path
@@ -62,6 +63,8 @@ def __init__(self, filename: Union['Path', str]):
         self._db = sqlite3.connect(str(filename),
                                    isolation_level=None,
                                    timeout=self.DB_LOCK_TIMEOUT.total_seconds())
+        if filename != ":memory:":
+            os.chmod(filename, stat.S_IRUSR | stat.S_IWUSR)
         self._setup()
 
     def _setup(self):

diff --git a/test/test_storage.py b/test/test_storage.py
@@ -18,6 +18,7 @@
 import os
 import pathlib
 import sys
+import stat
 import tempfile
 import typing
 import unittest
@@ -218,6 +219,16 @@ class TestSQLiteStorage(StoragePermutations, BaseTestCase):
     def create_storage(self):
         return ops.storage.SQLiteStorage(':memory:')
 
+    def test_permissions(self):
+        fd, filename = tempfile.mkstemp()
+        try:
+            os.close(fd)
+            os.remove(filename)
+            storage = ops.storage.SQLiteStorage(filename)
+            self.assertEqual(stat.S_IMODE(os.stat(filename).st_mode), stat.S_IREAD | stat.S_IWRITE)
+            storage.close()
+        finally:
+            os.remove(filename)
 
 def setup_juju_backend(test_case: unittest.TestCase, state_file: pathlib.Path):
     """Create fake scripts for pretending to be state-set and state-get."""