fix: eliminate insecure temporary file in atomic_file_write

Replace the close-then-reopen pattern in atomic_file_write() with
os.fdopen() to keep the file descriptor from tempfile.mkstemp() open
throughout the operation. The previous code closed the fd immediately
and reopened the temp file by name, creating a TOCTOU (time-of-check-
time-of-use) race window where an attacker could replace the temporary
file between close and reopen.

The fix passes the mkstemp fd directly to os.fdopen(), ensuring the
file handle is never released and re-acquired by name. For non-
truncating modes (e.g. 'a'), existing file content is copied through
the already-open fd rather than via shutil.copyfile on the path.

Fixes: #54
Signed-off-by: Pierluigi Lenoci <pierluigilenoci@gmail.com>

Author: pierluigilenoci

lib/vdsm/common/fileutils.py

@@ -54,13 +54,25 @@ def atomic_file_write(filename, flag):
         dir=os.path.dirname(os.path.abspath(filename)),
         prefix=os.path.basename(filename) + '.',
         suffix='.tmp')
-    os.close(fd)
     try:
-        if os.path.exists(filename):
-            shutil.copyfile(filename, tmp_filename)
-        with open(tmp_filename, flag) as f:
+        if os.path.exists(filename) and 'w' not in flag:
+            # Preserve existing content for non-truncating modes (e.g. 'a').
+            # Write through the already-open fd to avoid a close-then-reopen
+            # race condition (TOCTOU / insecure temporary file).
+            with open(filename, 'rb') as src:
+                while True:
+                    chunk = src.read(65536)
+                    if not chunk:
+                        break
+                    os.write(fd, chunk)
+            os.lseek(fd, 0, os.SEEK_SET)
+        with os.fdopen(fd, flag) as f:
             yield f
     except:
+        try:
+            os.close(fd)
+        except OSError:
+            pass  # fd may already be closed by os.fdopen
         rm_file(tmp_filename)
         raise
     else: