Overly restrictive permissions set on tmp/data folder due to python mkdtemp()

[kieranjol]

We recently began bagging on domain-joined Windows workstations as opposed to 'Forensic Workstations' which are off the network. We have noticed on Windows that the 'data' folder is only accessible to the user that created the bag. We are able to replicate this outside of bagit itself on a domain-joined PC with:

import os
import tempfile
cwd = os.getcwd()
temp_data = tempfile.mkdtemp(dir=cwd)
os.chmod(temp_data, os.stat(cwd).st_mode)

In advanced security settings, Inheritance is disabled. Once it is manually enabled, the permissions behave as expected. However, this issue can slip through the cracks as if the bag is transferred to another location, inheritance is enabled on the copy.

This behaviour is not present in a 'regular' windows account that isn't attached to a domain.

I believe that this relates specifically to how mkdtemp works, and I think the issue is somewhat articulated here: https://github.com/python/cpython/issues/86050

I have tested a pull request that just uses os.mkdir (pretty sure pathlib is preferred nowadays but it isn't used in the current bagit codebase) instead, and the permissions then behave correctly and inheritance is enabled by default. Again, as with https://github.com/LibraryOfCongress/bagit-python/issues/191 this is an environment issue so I understand that there might be reticence to add in this change. It would be great to know if anyone else has encountered it!

I will follow up with the pull request.

Best,

Kieran O'Leary Digital Repository Services Manager National Library of Ireland