Merge commit from fork

* Downgrade necessary permissions for build script

* Use atomic moves to minimize attack window

* add news

* minimize windows further

* use opener

* Provide new helper context manager to handle atomic writes and permission setting

* pre-commit

* clarify need for umask reset

* use secrets.token_urlsafe with 64 characters

* Revert "Fix transitive subpackage dependency resolution (#5603)" (#5647)

* Update conda_build/utils.py

Co-authored-by: Ken Odegard <kodegard@anaconda.com>

* Update conda_build/utils.py

---------

Co-authored-by: jaimergp <jaimergp@users.noreply.github.com>
Co-authored-by: Matthew R. Becker <beckermr@users.noreply.github.com>

Author: 3 people

conda_build/build.py

@@ -71,6 +71,7 @@
 )
 from .utils import (
     CONDA_PACKAGE_EXTENSIONS,
+    create_file_with_permissions,
     env_var,
     glob,
     on_mac,
@@ -3063,24 +3064,24 @@ def write_build_scripts(m, script, build_file):
 
     work_file = join(m.config.work_dir, "conda_build.sh")
     env_file = join(m.config.work_dir, "build_env_setup.sh")
-    with open(env_file, "w") as bf:
+
+    with create_file_with_permissions(env_file, 0o600) as bf:
         for k, v in env.items():
             if v != "" and v is not None:
                 bf.write(f'export {k}="{v}"\n')
-
         if m.activate_build_script:
             _write_sh_activation_text(bf, m)
-    with open(work_file, "w") as bf:
+
+    with create_file_with_permissions(work_file, 0o700) as bf:
         # bf.write('set -ex\n')
         bf.write("if [ -z ${CONDA_BUILD+x} ]; then\n")
-        bf.write(f"    source {env_file}\n")
+        bf.write(f"    source '{env_file}'\n")
         bf.write("fi\n")
         if script:
             bf.write(script)
         if isfile(build_file) and not script:
-            bf.write(open(build_file).read())
+            bf.write(Path(build_file).read_text())
 
-    os.chmod(work_file, 0o766)
     return work_file, env_file
 
 

conda_build/utils.py

@@ -11,6 +11,7 @@
 import mmap
 import os
 import re
+import secrets
 import shutil
 import stat
 import subprocess
@@ -2260,3 +2261,39 @@ def is_conda_pkg(pkg_path: str) -> bool:
 
 def package_record_to_requirement(prec: PackageRecord) -> str:
     return f"{prec.name} {prec.version} {prec.build}"
+
+
+@contextlib.contextmanager
+def set_umask(mask: int = 0) -> Iterator[None]:
+    current = os.umask(mask)
+    yield
+    os.umask(current)
+
+
+@contextlib.contextmanager
+def create_file_with_permissions(path: str, permissions: int):
+    """
+    Opens a new file for writing, with permissions set from creation time.
+    This is achieved by creating a temporary directory in the same parent
+    directory, opening a new file inside with the right permissions,
+    yielding the descriptor so the caller can add the necessary contents,
+    and then moving the temporary file to the target location, with preserved
+    permissions.
+
+    The umask is temporarily reset during this process, and then restored.
+    This is needed so permissions can be applied as intended. Without a zeroed
+    umask, the system umask might filter the passed value to a different one.
+    For example, given a system umask=022, passing 666 will result in a file
+    with permissions 644.
+    """
+
+    def opener(path, flags):
+        return os.open(path, flags, mode=permissions)
+
+    dirname = os.path.dirname(path)
+    with set_umask(), TemporaryDirectory(dir=dirname) as tmpdir:
+        tmp_path = os.path.join(tmpdir, secrets.token_urlsafe(64))
+        with open(tmp_path, "w", opener=opener) as fh:
+            yield fh
+
+        shutil.move(tmp_path, path)

news/build-script-permissions

@@ -0,0 +1,19 @@
+### Enhancements
+
+* <news item>
+
+### Bug fixes
+
+* Use more adequate permissions for temporary build scripts written to `$SRC_DIR`.
+
+### Deprecations
+
+* <news item>
+
+### Docs
+
+* <news item>
+
+### Other
+
+* <news item>

tests/test_api_build.py

@@ -2179,3 +2179,15 @@ def test_api_build_pytorch_cpu_issue5644(tmp_path, testing_config):
             os.environ["CONDA_SUBDIR"] = old_subdir
         else:
             del os.environ["CONDA_SUBDIR"]
+
+
+def test_build_script_permissions(testing_config):
+    recipe = os.path.join(metadata_dir, "_noarch_python")
+    metadata = api.render(
+        recipe, config=testing_config, dirty=True, remove_work_dir=False
+    )[0][0]
+    api.build(metadata, notest=True)
+    build_script = os.path.join(metadata.config.work_dir, "conda_build.sh")
+    assert (os.stat(build_script).st_mode & 0o777) == 0o700
+    env_script = os.path.join(metadata.config.work_dir, "build_env_setup.sh")
+    assert (os.stat(env_script).st_mode & 0o777) == 0o600