From 7f442079acc4bb4f8ce3feb5575258ff233f33fe Mon Sep 17 00:00:00 2001
From: Ding Zengxian <dingzengxian@pingcap.com>
Date: Sat, 22 Jan 2022 10:27:46 +0800
Subject: [PATCH] *: Minimize file and directory permissions (#31740)

ref pingcap/tidb#31310
---
 br/cmd/tidb-lightning-ctl/main.go               | 2 +-
 br/pkg/lightning/backend/local/local.go         | 4 ++--
 br/pkg/lightning/checkpoints/checkpoints.go     | 2 +-
 cmd/pluginpkg/pluginpkg.go                      | 2 +-
 executor/select_into.go                         | 3 ++-
 parser/goyacc/main.go                           | 2 +-
 store/mockstore/unistore/lockstore/load_dump.go | 2 +-
 store/mockstore/unistore/mock.go                | 2 +-
 store/mockstore/unistore/tikv/mvcc.go           | 2 +-
 util/disk/tempDir.go                            | 4 ++--
 10 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/br/cmd/tidb-lightning-ctl/main.go b/br/cmd/tidb-lightning-ctl/main.go
index 43891c8fb0..b877fecb2f 100644
--- a/br/cmd/tidb-lightning-ctl/main.go
+++ b/br/cmd/tidb-lightning-ctl/main.go
@@ -254,7 +254,7 @@ func checkpointDump(ctx context.Context, cfg *config.Config, dumpFolder string)
 	}
 	defer cpdb.Close()
 
-	if err := os.MkdirAll(dumpFolder, 0o755); err != nil {
+	if err := os.MkdirAll(dumpFolder, 0o750); err != nil {
 		return errors.Trace(err)
 	}
 
diff --git a/br/pkg/lightning/backend/local/local.go b/br/pkg/lightning/backend/local/local.go
index b4a5826e56..77f6b6d2e8 100644
--- a/br/pkg/lightning/backend/local/local.go
+++ b/br/pkg/lightning/backend/local/local.go
@@ -592,7 +592,7 @@ func (local *local) OpenEngine(ctx context.Context, cfg *backend.EngineConfig, e
 		return errors.Trace(err)
 	}
 	if !common.IsDirExists(sstDir) {
-		if err := os.Mkdir(sstDir, 0o755); err != nil {
+		if err := os.Mkdir(sstDir, 0o750); err != nil {
 			return errors.Trace(err)
 		}
 	}
@@ -1526,7 +1526,7 @@ func (local *local) ResetEngine(ctx context.Context, engineUUID uuid.UUID) error
 		localEngine.db = db
 		localEngine.engineMeta = engineMeta{}
 		if !common.IsDirExists(localEngine.sstDir) {
-			if err := os.Mkdir(localEngine.sstDir, 0o755); err != nil {
+			if err := os.Mkdir(localEngine.sstDir, 0o750); err != nil {
 				return errors.Trace(err)
 			}
 		}
diff --git a/br/pkg/lightning/checkpoints/checkpoints.go b/br/pkg/lightning/checkpoints/checkpoints.go
index a39a24098c..47ced55db4 100644
--- a/br/pkg/lightning/checkpoints/checkpoints.go
+++ b/br/pkg/lightning/checkpoints/checkpoints.go
@@ -990,7 +990,7 @@ func (cpdb *FileCheckpointsDB) save() error {
 	// because `os.WriteFile` is not atomic, directly write into it may reset the file
 	// to an empty file if write is not finished.
 	tmpPath := cpdb.path + ".tmp"
-	if err := os.WriteFile(tmpPath, serialized, 0o644); err != nil { // nolint:gosec
+	if err := os.WriteFile(tmpPath, serialized, 0o600); err != nil {
 		return errors.Trace(err)
 	}
 	if err := os.Rename(tmpPath, cpdb.path); err != nil {
diff --git a/cmd/pluginpkg/pluginpkg.go b/cmd/pluginpkg/pluginpkg.go
index 8390b10adb..24a7c6a0a5 100644
--- a/cmd/pluginpkg/pluginpkg.go
+++ b/cmd/pluginpkg/pluginpkg.go
@@ -126,7 +126,7 @@ func main() {
 	}
 
 	genFileName := filepath.Join(pkgDir, filepath.Base(pkgDir)+".gen.go")
-	genFile, err := os.OpenFile(genFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755)
+	genFile, err := os.OpenFile(genFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0700) // # nosec G302
 	if err != nil {
 		log.Printf("generate code failure during prepare output file, %+v\n", err)
 		os.Exit(1)
diff --git a/executor/select_into.go b/executor/select_into.go
index cb0a2d5356..5003f1dbf9 100644
--- a/executor/select_into.go
+++ b/executor/select_into.go
@@ -52,7 +52,8 @@ func (s *SelectIntoExec) Open(ctx context.Context) error {
 		return errors.New("unsupported SelectInto type")
 	}
 
-	f, err := os.OpenFile(s.intoOpt.FileName, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
+	// MySQL-compatible behavior: allow files to be group-readable
+	f, err := os.OpenFile(s.intoOpt.FileName, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0640) // # nosec G302
 	if err != nil {
 		return errors.Trace(err)
 	}
diff --git a/parser/goyacc/main.go b/parser/goyacc/main.go
index 1b8fae47cd..22d78f2998 100644
--- a/parser/goyacc/main.go
+++ b/parser/goyacc/main.go
@@ -324,7 +324,7 @@ func main1(in string) (err error) {
 	}
 
 	if fn := *oXErrorsGen; fn != "" {
-		f, err := os.OpenFile(fn, os.O_RDWR|os.O_CREATE, 0666)
+		f, err := os.OpenFile(fn, os.O_RDWR|os.O_CREATE, 0600)
 		if err != nil {
 			return err
 		}
diff --git a/store/mockstore/unistore/lockstore/load_dump.go b/store/mockstore/unistore/lockstore/load_dump.go
index dca102ab0b..f0192331ec 100644
--- a/store/mockstore/unistore/lockstore/load_dump.go
+++ b/store/mockstore/unistore/lockstore/load_dump.go
@@ -96,7 +96,7 @@ func (ls *MemStore) writeItem(writer *bufio.Writer, data []byte) error {
 // DumpToFile dumps the meta to a file
 func (ls *MemStore) DumpToFile(fileName string, meta []byte) error {
 	tmpFileName := fileName + ".tmp"
-	f, err := os.OpenFile(tmpFileName, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0666)
+	f, err := os.OpenFile(tmpFileName, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0600)
 	if err != nil {
 		return errors.Trace(err)
 	}
diff --git a/store/mockstore/unistore/mock.go b/store/mockstore/unistore/mock.go
index 37bfaf5473..06bfe7396a 100644
--- a/store/mockstore/unistore/mock.go
+++ b/store/mockstore/unistore/mock.go
@@ -34,7 +34,7 @@ func New(path string) (*RPCClient, pd.Client, *Cluster, error) {
 		persistent = false
 	}
 
-	if err := os.MkdirAll(path, 0777); err != nil {
+	if err := os.MkdirAll(path, 0750); err != nil {
 		return nil, nil, nil, err
 	}
 
diff --git a/store/mockstore/unistore/tikv/mvcc.go b/store/mockstore/unistore/tikv/mvcc.go
index c25e2e2104..a0d943a564 100644
--- a/store/mockstore/unistore/tikv/mvcc.go
+++ b/store/mockstore/unistore/tikv/mvcc.go
@@ -122,7 +122,7 @@ type lockEntryHdr struct {
 
 func (store *MVCCStore) dumpMemLocks() error {
 	tmpFileName := store.dir + "/lock_store.tmp"
-	f, err := os.OpenFile(tmpFileName, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0666)
+	f, err := os.OpenFile(tmpFileName, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0600)
 	if err != nil {
 		return errors.Trace(err)
 	}
diff --git a/util/disk/tempDir.go b/util/disk/tempDir.go
index 0603b54fd0..1a615ccd64 100644
--- a/util/disk/tempDir.go
+++ b/util/disk/tempDir.go
@@ -64,7 +64,7 @@ func InitializeTempDir() error {
 	tempDir := config.GetGlobalConfig().TempStoragePath
 	_, err := os.Stat(tempDir)
 	if err != nil && !os.IsExist(err) {
-		err = os.MkdirAll(tempDir, 0755)
+		err = os.MkdirAll(tempDir, 0750)
 		if err != nil {
 			return err
 		}
@@ -118,7 +118,7 @@ func CleanUp() {
 func CheckAndCreateDir(path string) error {
 	_, err := os.Stat(path)
 	if err != nil && !os.IsExist(err) {
-		err = os.MkdirAll(path, 0755)
+		err = os.MkdirAll(path, 0750)
 		if err != nil {
 			return err
 		}