When a file is first written and then its permissions are later changed using chmod, there exists a potential security risk known as a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file: At https://github.com/openstack/magnum/blob/537e69aeb8df7af480e6af11a98687179d4dd89c/magnum/conductor/handlers/common/cert_manager.py#L185 , we first write ca_file,key_file cert_file , then we chmod mode them. ``` ca_file = open(cached_ca_file, "w+") ca_file.write(encodeutils.safe_decode(ca_cert.get_certificate())) ca_file.flush() key_file = open(cached_key_file, "w+") key_file.write(encodeutils.safe_decode( magnum_cert.get_decrypted_private_key())) key_file.flush() cert_file = open(cached_cert_file, "w+") cert_file.write( encodeutils.safe_decode(magnum_cert.get_certificate())) cert_file.flush() os.chmod(cached_ca_file, 0o600) os.chmod(cached_key_file, 0o600) os.chmod(cached_cert_file, 0o600) ``` References: https://bugs.launchpad.net/magnum/+bug/2047690 https://gist.github.com/Fewword/f098d8d6375ac25e27b18c0e57be532f https://review.opendev.org/c/openstack/magnum/+/907305