Description
Bug report
Bug description:
On Windows, when a directory is created using Python's os.mkdir with mode=0o700, permissions for the OWNER RIGHTS group are attached. Files written to the directory inherit these permissions, unless explicitly disabled. This causes incompatibility with the OpenSSH client when attempting to pass a private key file stored in the created directory because permissions are "too open".
Although this can be avoided by calling os.mkdir with mode=0o400, there's no available workaround when using tempfile.TemporaryDirectory since the mode is hardcoded to 0o700.
To reproduce:
# Create a temporary directory
import tempfile
# Take note of `temp_dir.name`
temp_dir = tempfile.TemporaryDirectory()
# Place a private key file into `temp_dir.name`In Windows Command Prompt:
> ssh -p port -i C:\Path\To\TempDir\Keyfile destination
Bad permissions. Try removing permissions for user: \\OWNER RIGHTS (S-1-3-4) on file C:\Path\To\TempDir\Keyfile.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\Path\To\TempDir\Keyfile' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\Path\To\TempDir\Keyfile": bad permissions
destination: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Based on the related CPython issue and PR linked below, I understand switching to OWNER RIGHTS was intentionally done to address a CVE. However, this has created friction between tempfile.TemporaryDirectory and OpenSSH.
Related:
- [CVE-2024-4030] Enable
mkdir(mode=0o700)to work on Windows #118486 - gh-118486: Switch mkdir(mode=0o700) on Windows to use OWNER RIGHTS instead of CURRENT_USER #118515
aws ec2-instance connect sshfails on Windows aws/aws-cli#9114
CPython versions tested on:
3.12
Operating systems tested on:
Windows