chore: Enable G301, G302 and G306 rules for gosec (#13022)

.golangci.yml

@@ -100,12 +100,23 @@ linters-settings:
       - G201
       - G202
       - G203
+      - G301
+      - G302
+      - G306
       - G401
       - G403
       - G501
       - G502
       - G503
       - G505
+    # To specify the configuration of rules.
+    config:
+      # Maximum allowed permissions mode for os.OpenFile and os.Chmod
+      # Default: "0600"
+      G302: "0640"
+      # Maximum allowed permissions mode for os.WriteFile and ioutil.WriteFile
+      # Default: "0600"
+      G306: "0640"
   lll:
     # Max line length, lines longer will be reported.
     # '\t' is counted as 1 character by default, and can be changed with the tab-width option.

cmd/telegraf/telegraf.go

@@ -347,7 +347,7 @@ func (t *Telegraf) runAgent(ctx context.Context, c *config.Config, reloadConfig
 	}
 
 	if t.pidFile != "" {
-		f, err := os.OpenFile(t.pidFile, os.O_CREATE|os.O_WRONLY, 0644)
+		f, err := os.OpenFile(t.pidFile, os.O_CREATE|os.O_WRONLY, 0640)
 		if err != nil {
 			log.Printf("E! Unable to create pidfile: %s", err)
 		} else {

internal/rotate/file_writer_test.go

@@ -6,7 +6,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -21,7 +20,7 @@ func TestFileWriter_NoRotation(t *testing.T) {
 	_, err = writer.Write([]byte("Hello World 2"))
 	require.NoError(t, err)
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 1, len(files))
+	require.Equal(t, 1, len(files))
 }
 
 func TestFileWriter_TimeRotation(t *testing.T) {
@@ -37,22 +36,22 @@ func TestFileWriter_TimeRotation(t *testing.T) {
 	_, err = writer.Write([]byte("Hello World 2"))
 	require.NoError(t, err)
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 2, len(files))
+	require.Equal(t, 2, len(files))
 }
 
 func TestFileWriter_ReopenTimeRotation(t *testing.T) {
 	tempDir := t.TempDir()
 	interval, _ := time.ParseDuration("10ms")
 	filePath := filepath.Join(tempDir, "test.log")
-	err := os.WriteFile(filePath, []byte("Hello World"), 0644)
+	err := os.WriteFile(filePath, []byte("Hello World"), 0640)
 	time.Sleep(interval)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	writer, err := NewFileWriter(filepath.Join(tempDir, "test.log"), interval, 0, -1)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, writer.Close()) })
 
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 2, len(files))
+	require.Equal(t, 2, len(files))
 }
 
 func TestFileWriter_SizeRotation(t *testing.T) {
@@ -67,15 +66,15 @@ func TestFileWriter_SizeRotation(t *testing.T) {
 	_, err = writer.Write([]byte("World 2"))
 	require.NoError(t, err)
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 2, len(files))
+	require.Equal(t, 2, len(files))
 }
 
 func TestFileWriter_ReopenSizeRotation(t *testing.T) {
 	tempDir := t.TempDir()
 	maxSize := int64(12)
 	filePath := filepath.Join(tempDir, "test.log")
-	err := os.WriteFile(filePath, []byte("Hello World"), 0644)
+	err := os.WriteFile(filePath, []byte("Hello World"), 0640)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	writer, err := NewFileWriter(filepath.Join(tempDir, "test.log"), 0, maxSize, -1)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, writer.Close()) })
@@ -83,7 +82,7 @@ func TestFileWriter_ReopenSizeRotation(t *testing.T) {
 	_, err = writer.Write([]byte("Hello World Again"))
 	require.NoError(t, err)
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 2, len(files))
+	require.Equal(t, 2, len(files))
 }
 
 func TestFileWriter_DeleteArchives(t *testing.T) {
@@ -110,7 +109,7 @@ func TestFileWriter_DeleteArchives(t *testing.T) {
 	require.NoError(t, err)
 
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 3, len(files))
+	require.Equal(t, 3, len(files))
 
 	for _, tempFile := range files {
 		var bytes []byte
@@ -137,6 +136,6 @@ func TestFileWriter_CloseDoesNotRotate(t *testing.T) {
 	require.NoError(t, writer.Close())
 
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 1, len(files))
+	require.Equal(t, 1, len(files))
-	assert.Regexp(t, "^test.log$", files[0].Name())
+	require.Regexp(t, "^test.log$", files[0].Name())
 }

logger/logger_test.go

@@ -93,7 +93,7 @@ func TestWriteToTruncatedFile(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, f[19:], []byte("Z I! TEST\n"))
 
-	tmpf, err := os.OpenFile(tmpfile.Name(), os.O_RDWR|os.O_TRUNC, 0644)
+	tmpf, err := os.OpenFile(tmpfile.Name(), os.O_RDWR|os.O_TRUNC, 0640)
 	require.NoError(t, err)
 	require.NoError(t, tmpf.Close())
 

plugins/inputs/bcache/bcache_test.go

@@ -6,8 +6,9 @@ import (
 	"os"
 	"testing"
 
-	"github.com/influxdata/telegraf/testutil"
 	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/testutil"
 )
 
 const (
@@ -30,13 +31,13 @@ var (
 )
 
 func TestBcacheGeneratesMetrics(t *testing.T) {
-	err := os.MkdirAll(testBcacheUUIDPath, 0755)
+	err := os.MkdirAll(testBcacheUUIDPath, 0750)
 	require.NoError(t, err)
 
-	err = os.MkdirAll(testBcacheDevPath, 0755)
+	err = os.MkdirAll(testBcacheDevPath, 0750)
 	require.NoError(t, err)
 
-	err = os.MkdirAll(testBcacheBackingDevPath+"/bcache", 0755)
+	err = os.MkdirAll(testBcacheBackingDevPath+"/bcache", 0750)
 	require.NoError(t, err)
 
 	err = os.Symlink(testBcacheBackingDevPath+"/bcache", testBcacheUUIDPath+"/bdev0")
@@ -45,43 +46,34 @@ func TestBcacheGeneratesMetrics(t *testing.T) {
 	err = os.Symlink(testBcacheDevPath, testBcacheUUIDPath+"/bdev0/dev")
 	require.NoError(t, err)
 
-	err = os.MkdirAll(testBcacheUUIDPath+"/bdev0/stats_total", 0755)
+	err = os.MkdirAll(testBcacheUUIDPath+"/bdev0/stats_total", 0750)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/dirty_data",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/dirty_data", []byte(dirtyData), 0640)
-		[]byte(dirtyData), 0644)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/bypassed",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/bypassed", []byte(bypassed), 0640)
-		[]byte(bypassed), 0644)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_bypass_hits",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_bypass_hits", []byte(cacheBypassHits), 0640)
-		[]byte(cacheBypassHits), 0644)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_bypass_misses",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_bypass_misses", []byte(cacheBypassMisses), 0640)
-		[]byte(cacheBypassMisses), 0644)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_hit_ratio",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_hit_ratio", []byte(cacheHitRatio), 0640)
-		[]byte(cacheHitRatio), 0644)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_hits",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_hits", []byte(cacheHits), 0640)
-		[]byte(cacheHits), 0644)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_miss_collisions",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_miss_collisions", []byte(cacheMissCollisions), 0640)
-		[]byte(cacheMissCollisions), 0644)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_misses",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_misses", []byte(cacheMisses), 0640)
-		[]byte(cacheMisses), 0644)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_readaheads",
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_readaheads", []byte(cacheReadaheads), 0640)
-		[]byte(cacheReadaheads), 0644)
 	require.NoError(t, err)
 
 	fields := map[string]interface{}{

plugins/inputs/ceph/ceph_test.go

@@ -192,7 +192,7 @@ func createTestFiles(dir string, st *SockTest) error {
 	writeFile := func(prefix string, i int) error {
 		f := sockFile(prefix, i)
 		fpath := filepath.Join(dir, f)
-		return os.WriteFile(fpath, []byte(""), 0644)
+		return os.WriteFile(fpath, []byte(""), 0640)
 	}
 	return tstFileApply(st, writeFile)
 }

plugins/inputs/conntrack/conntrack_test.go

@@ -50,7 +50,7 @@ func TestDefaultsUsed(t *testing.T) {
 	dfltFiles = []string{fname}
 
 	count := 1234321
-	require.NoError(t, os.WriteFile(tmpFile.Name(), []byte(strconv.Itoa(count)), 0660))
+	require.NoError(t, os.WriteFile(tmpFile.Name(), []byte(strconv.Itoa(count)), 0640))
 	c := &Conntrack{}
 	require.NoError(t, c.Init())
 	acc := &testutil.Accumulator{}
@@ -80,8 +80,8 @@ func TestConfigsUsed(t *testing.T) {
 
 	count := 1234321
 	max := 9999999
-	require.NoError(t, os.WriteFile(cntFile.Name(), []byte(strconv.Itoa(count)), 0660))
+	require.NoError(t, os.WriteFile(cntFile.Name(), []byte(strconv.Itoa(count)), 0640))
-	require.NoError(t, os.WriteFile(maxFile.Name(), []byte(strconv.Itoa(max)), 0660))
+	require.NoError(t, os.WriteFile(maxFile.Name(), []byte(strconv.Itoa(max)), 0640))
 	c := &Conntrack{}
 	require.NoError(t, c.Init())
 	acc := &testutil.Accumulator{}

plugins/inputs/directory_monitor/directory_monitor.go

@@ -398,7 +398,7 @@ func (monitor *DirectoryMonitor) Init() error {
 
 	// Finished directory can be created if not exists for convenience.
 	if _, err := os.Stat(monitor.FinishedDirectory); os.IsNotExist(err) {
-		err = os.Mkdir(monitor.FinishedDirectory, 0755)
+		err = os.Mkdir(monitor.FinishedDirectory, 0750)
 		if err != nil {
 			return err
 		}
@@ -410,7 +410,7 @@ func (monitor *DirectoryMonitor) Init() error {
 	// If an error directory should be used but has not been configured yet, create one ourselves.
 	if monitor.ErrorDirectory != "" {
 		if _, err := os.Stat(monitor.ErrorDirectory); os.IsNotExist(err) {
-			err := os.Mkdir(monitor.ErrorDirectory, 0755)
+			err := os.Mkdir(monitor.ErrorDirectory, 0750)
 			if err != nil {
 				return err
 			}

plugins/inputs/directory_monitor/directory_monitor_test.go

@@ -77,7 +77,7 @@ func TestCSVGZImport(t *testing.T) {
 	require.NoError(t, err)
 	err = w.Close()
 	require.NoError(t, err)
-	err = os.WriteFile(filepath.Join(processDirectory, testCsvGzFile), b.Bytes(), 0666)
+	err = os.WriteFile(filepath.Join(processDirectory, testCsvGzFile), b.Bytes(), 0640)
 	require.NoError(t, err)
 
 	// Start plugin before adding file.
@@ -148,7 +148,7 @@ func TestCSVGZImportWithHeader(t *testing.T) {
 	require.NoError(t, err)
 	err = w.Close()
 	require.NoError(t, err)
-	err = os.WriteFile(filepath.Join(processDirectory, testCsvGzFile), b.Bytes(), 0666)
+	err = os.WriteFile(filepath.Join(processDirectory, testCsvGzFile), b.Bytes(), 0640)
 	require.NoError(t, err)
 
 	// Start plugin before adding file.
@@ -577,7 +577,7 @@ func TestParseSubdirectories(t *testing.T) {
 	err = f.Close()
 	require.NoError(t, err)
 
-	// Write json file to process into a subdirectory in the the 'process' directory.
+	// Write json file to process into a subdirectory in the 'process' directory.
 	err = os.Mkdir(filepath.Join(processDirectory, "sub"), os.ModePerm)
 	require.NoError(t, err)
 	f, err = os.Create(filepath.Join(processDirectory, "sub", testJSONFile))

plugins/inputs/linux_cpu/linux_cpu_test.go

@@ -3,11 +3,12 @@
 package linux_cpu
 
 import (
-	"github.com/influxdata/telegraf/testutil"
 	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/testutil"
 )
 
 func TestNoMetrics(t *testing.T) {
@@ -43,14 +44,14 @@ func TestGatherCPUFreq(t *testing.T) {
 	td := t.TempDir()
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu0/cpufreq", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("250\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("250\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0640))
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu1/cpufreq", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_cur_freq", []byte("123\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_cur_freq", []byte("123\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_min_freq", []byte("80\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_min_freq", []byte("80\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_max_freq", []byte("230\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_max_freq", []byte("230\n"), 0640))
 
 	plugin := &LinuxCPU{
 		Log:       testutil.Logger{Name: "LinuxCPUPluginTest"},
@@ -91,9 +92,9 @@ func TestGatherThermal(t *testing.T) {
 	td := t.TempDir()
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu0/thermal_throttle", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_count", []byte("250\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_count", []byte("250\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_max_time_ms", []byte("100\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_max_time_ms", []byte("100\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_total_time_ms", []byte("255\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_total_time_ms", []byte("255\n"), 0640))
 
 	plugin := &LinuxCPU{
 		Log:       testutil.Logger{Name: "LinuxCPUPluginTest"},
@@ -117,9 +118,9 @@ func TestGatherPropertyRemoved(t *testing.T) {
 	td := t.TempDir()
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu0/cpufreq", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("250\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("250\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0640))
 
 	plugin := &LinuxCPU{
 		Log:       testutil.Logger{Name: "LinuxCPUPluginTest"},
@@ -153,9 +154,9 @@ func TestGatherPropertyInvalid(t *testing.T) {
 	td := t.TempDir()
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu0/cpufreq", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("ABC\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("ABC\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0640))
 
 	plugin := &LinuxCPU{
 		Log:       testutil.Logger{Name: "LinuxCPUPluginTest"},

plugins/inputs/linux_sysctl_fs/linux_sysctl_fs_test.go

@@ -4,19 +4,20 @@ import (
 	"os"
 	"testing"
 
-	"github.com/influxdata/telegraf/testutil"
 	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/testutil"
 )
 
 func TestSysctlFSGather(t *testing.T) {
 	td := t.TempDir()
 
-	require.NoError(t, os.WriteFile(td+"/aio-nr", []byte("100\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/aio-nr", []byte("100\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/aio-max-nr", []byte("101\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/aio-max-nr", []byte("101\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/super-nr", []byte("102\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/super-nr", []byte("102\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/super-max", []byte("103\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/super-max", []byte("103\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/file-nr", []byte("104\t0\t106\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/file-nr", []byte("104\t0\t106\n"), 0640))
-	require.NoError(t, os.WriteFile(td+"/inode-state", []byte("107\t108\t109\t0\t0\t0\t0\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/inode-state", []byte("107\t108\t109\t0\t0\t0\t0\n"), 0640))
 
 	sfs := &SysctlFS{
 		path: td,

plugins/inputs/logparser/logparser_test.go

@@ -141,7 +141,7 @@ func TestGrokParseLogFilesAppearLater(t *testing.T) {
 	input, err := os.ReadFile(filepath.Join(testdataDir, "test_a.log"))
 	require.NoError(t, err)
 
-	err = os.WriteFile(filepath.Join(emptydir, "test_a.log"), input, 0644)
+	err = os.WriteFile(filepath.Join(emptydir, "test_a.log"), input, 0640)
 	require.NoError(t, err)
 
 	require.NoError(t, acc.GatherError(logparser.Gather))

plugins/inputs/lustre2/lustre2_test.go

@@ -6,11 +6,11 @@ import (
 	"os"
 	"testing"
 
+	"github.com/influxdata/toml"
+	"github.com/influxdata/toml/ast"
 	"github.com/stretchr/testify/require"
 
 	"github.com/influxdata/telegraf/testutil"
-	"github.com/influxdata/toml"
-	"github.com/influxdata/toml/ast"
 )
 
 // Set config file variables to point to fake directory structure instead of /proc?
@@ -136,24 +136,24 @@ func TestLustre2GeneratesMetrics(t *testing.T) {
 	ostName := "OST0001"
 
 	mdtdir := tempdir + "/mdt/"
-	err := os.MkdirAll(mdtdir+"/"+ostName, 0755)
+	err := os.MkdirAll(mdtdir+"/"+ostName, 0750)
 	require.NoError(t, err)
 
 	osddir := tempdir + "/osd-ldiskfs/"
-	err = os.MkdirAll(osddir+"/"+ostName, 0755)
+	err = os.MkdirAll(osddir+"/"+ostName, 0750)
 	require.NoError(t, err)
 
 	obddir := tempdir + "/obdfilter/"
-	err = os.MkdirAll(obddir+"/"+ostName, 0755)
+	err = os.MkdirAll(obddir+"/"+ostName, 0750)
 	require.NoError(t, err)
 
-	err = os.WriteFile(mdtdir+"/"+ostName+"/md_stats", []byte(mdtProcContents), 0644)
+	err = os.WriteFile(mdtdir+"/"+ostName+"/md_stats", []byte(mdtProcContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(osddir+"/"+ostName+"/stats", []byte(osdldiskfsProcContents), 0644)
+	err = os.WriteFile(osddir+"/"+ostName+"/stats", []byte(osdldiskfsProcContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(obddir+"/"+ostName+"/stats", []byte(obdfilterProcContents), 0644)
+	err = os.WriteFile(obddir+"/"+ostName+"/stats", []byte(obdfilterProcContents), 0640)
 	require.NoError(t, err)
 
 	// Begin by testing standard Lustre stats
@@ -208,17 +208,17 @@ func TestLustre2GeneratesClientMetrics(t *testing.T) {
 	ostName := "OST0001"
 	clientName := "10.2.4.27@o2ib1"
 	mdtdir := tempdir + "/mdt/"
-	err := os.MkdirAll(mdtdir+"/"+ostName+"/exports/"+clientName, 0755)
+	err := os.MkdirAll(mdtdir+"/"+ostName+"/exports/"+clientName, 0750)
 	require.NoError(t, err)
 
 	obddir := tempdir + "/obdfilter/"
-	err = os.MkdirAll(obddir+"/"+ostName+"/exports/"+clientName, 0755)
+	err = os.MkdirAll(obddir+"/"+ostName+"/exports/"+clientName, 0750)
 	require.NoError(t, err)
 
-	err = os.WriteFile(mdtdir+"/"+ostName+"/exports/"+clientName+"/stats", []byte(mdtProcContents), 0644)
+	err = os.WriteFile(mdtdir+"/"+ostName+"/exports/"+clientName+"/stats", []byte(mdtProcContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(obddir+"/"+ostName+"/exports/"+clientName+"/stats", []byte(obdfilterProcContents), 0644)
+	err = os.WriteFile(obddir+"/"+ostName+"/exports/"+clientName+"/stats", []byte(obdfilterProcContents), 0640)
 	require.NoError(t, err)
 
 	// Begin by testing standard Lustre stats
@@ -272,17 +272,17 @@ func TestLustre2GeneratesJobstatsMetrics(t *testing.T) {
 	jobNames := []string{"cluster-testjob1", "testjob2"}
 
 	mdtdir := tempdir + "/mdt/"
-	err := os.MkdirAll(mdtdir+"/"+ostName, 0755)
+	err := os.MkdirAll(mdtdir+"/"+ostName, 0750)
 	require.NoError(t, err)
 
 	obddir := tempdir + "/obdfilter/"
-	err = os.MkdirAll(obddir+"/"+ostName, 0755)
+	err = os.MkdirAll(obddir+"/"+ostName, 0750)
 	require.NoError(t, err)
 
-	err = os.WriteFile(mdtdir+"/"+ostName+"/job_stats", []byte(mdtJobStatsContents), 0644)
+	err = os.WriteFile(mdtdir+"/"+ostName+"/job_stats", []byte(mdtJobStatsContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(obddir+"/"+ostName+"/job_stats", []byte(obdfilterJobStatsContents), 0644)
+	err = os.WriteFile(obddir+"/"+ostName+"/job_stats", []byte(obdfilterJobStatsContents), 0640)
 	require.NoError(t, err)
 
 	// Test Lustre Jobstats

plugins/inputs/passenger/passenger_test.go

@@ -26,6 +26,7 @@ func fakePassengerStatus(stat string) (string, error) {
 	}
 
 	tempFilePath := filepath.Join(os.TempDir(), "passenger-status"+fileExtension)
+	//nolint:gosec // G306: Expect WriteFile permissions to be 0640 or less - this file needs to be executed
 	if err := os.WriteFile(tempFilePath, []byte(content), 0700); err != nil {
 		return "", err
 	}

plugins/inputs/postfix/postfix_test.go

@@ -16,15 +16,15 @@ func TestGather(t *testing.T) {
 	td := t.TempDir()
 
 	for _, q := range []string{"active", "hold", "incoming", "maildrop", "deferred/0/0", "deferred/F/F"} {
-		require.NoError(t, os.MkdirAll(filepath.FromSlash(td+"/"+q), 0755))
+		require.NoError(t, os.MkdirAll(filepath.FromSlash(td+"/"+q), 0750))
 	}
 
-	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/active/01"), []byte("abc"), 0644))
+	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/active/01"), []byte("abc"), 0640))
-	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/active/02"), []byte("defg"), 0644))
+	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/active/02"), []byte("defg"), 0640))
-	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/hold/01"), []byte("abc"), 0644))
+	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/hold/01"), []byte("abc"), 0640))
-	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/incoming/01"), []byte("abcd"), 0644))
+	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/incoming/01"), []byte("abcd"), 0640))
-	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/deferred/0/0/01"), []byte("abc"), 0644))
+	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/deferred/0/0/01"), []byte("abc"), 0640))
-	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/deferred/F/F/F1"), []byte("abc"), 0644))
+	require.NoError(t, os.WriteFile(filepath.FromSlash(td+"/deferred/F/F/F1"), []byte("abc"), 0640))
 
 	p := Postfix{
 		QueueDirectory: td,

plugins/inputs/procstat/procstat_test.go

@@ -385,7 +385,7 @@ func TestGather_cgroupPIDs(t *testing.T) {
 		t.Skip("no cgroups in windows")
 	}
 	td := t.TempDir()
-	err := os.WriteFile(filepath.Join(td, "cgroup.procs"), []byte("1234\n5678\n"), 0644)
+	err := os.WriteFile(filepath.Join(td, "cgroup.procs"), []byte("1234\n5678\n"), 0640)
 	require.NoError(t, err)
 
 	p := Procstat{

plugins/inputs/zfs/zfs_linux_test.go

@@ -7,8 +7,9 @@ import (
 	"os"
 	"testing"
 
-	"github.com/influxdata/telegraf/testutil"
 	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/testutil"
 )
 
 const arcstatsContents = `5 1 0x01 86 4128 23617128247 12081618582809582
@@ -195,16 +196,16 @@ scatter_sg_table_retry          4    99221
 var testKstatPath = os.TempDir() + "/telegraf/proc/spl/kstat/zfs"
 
 func TestZfsPoolMetrics(t *testing.T) {
-	err := os.MkdirAll(testKstatPath, 0755)
+	err := os.MkdirAll(testKstatPath, 0750)
 	require.NoError(t, err)
 
-	err = os.MkdirAll(testKstatPath+"/HOME", 0755)
+	err = os.MkdirAll(testKstatPath+"/HOME", 0750)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/HOME/io", []byte(poolIoContents), 0644)
+	err = os.WriteFile(testKstatPath+"/HOME/io", []byte(poolIoContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/arcstats", []byte(arcstatsContents), 0644)
+	err = os.WriteFile(testKstatPath+"/arcstats", []byte(arcstatsContents), 0640)
 	require.NoError(t, err)
 
 	poolMetrics := getPoolMetrics()
@@ -229,7 +230,7 @@ func TestZfsPoolMetrics(t *testing.T) {
 
 	acc.AssertContainsTaggedFields(t, "zfs_pool", poolMetrics, tags)
 
-	err = os.WriteFile(testKstatPath+"/HOME/objset-0x20a", []byte(objsetContents), 0644)
+	err = os.WriteFile(testKstatPath+"/HOME/objset-0x20a", []byte(objsetContents), 0640)
 	require.NoError(t, err)
 
 	acc.Metrics = nil
@@ -247,31 +248,31 @@ func TestZfsPoolMetrics(t *testing.T) {
 }
 
 func TestZfsGeneratesMetrics(t *testing.T) {
-	err := os.MkdirAll(testKstatPath, 0755)
+	err := os.MkdirAll(testKstatPath, 0750)
 	require.NoError(t, err)
 
-	err = os.MkdirAll(testKstatPath+"/HOME", 0755)
+	err = os.MkdirAll(testKstatPath+"/HOME", 0750)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/HOME/io", []byte(""), 0644)
+	err = os.WriteFile(testKstatPath+"/HOME/io", []byte(""), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/arcstats", []byte(arcstatsContents), 0644)
+	err = os.WriteFile(testKstatPath+"/arcstats", []byte(arcstatsContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/zfetchstats", []byte(zfetchstatsContents), 0644)
+	err = os.WriteFile(testKstatPath+"/zfetchstats", []byte(zfetchstatsContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/zil", []byte(zilContents), 0644)
+	err = os.WriteFile(testKstatPath+"/zil", []byte(zilContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/fm", []byte(fmContents), 0644)
+	err = os.WriteFile(testKstatPath+"/fm", []byte(fmContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/dmu_tx", []byte(dmuTxContents), 0644)
+	err = os.WriteFile(testKstatPath+"/dmu_tx", []byte(dmuTxContents), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/abdstats", []byte(abdstatsContents), 0644)
+	err = os.WriteFile(testKstatPath+"/abdstats", []byte(abdstatsContents), 0640)
 	require.NoError(t, err)
 
 	intMetrics := getKstatMetricsAll()
@@ -291,10 +292,10 @@ func TestZfsGeneratesMetrics(t *testing.T) {
 	acc.Metrics = nil
 
 	//two pools, all metrics
-	err = os.MkdirAll(testKstatPath+"/STORAGE", 0755)
+	err = os.MkdirAll(testKstatPath+"/STORAGE", 0750)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testKstatPath+"/STORAGE/io", []byte(""), 0644)
+	err = os.WriteFile(testKstatPath+"/STORAGE/io", []byte(""), 0640)
 	require.NoError(t, err)
 
 	tags = map[string]string{

plugins/inputs/zipkin/cmd/thrift_serialize/thrift_serialize.go

@@ -62,7 +62,7 @@ func main() {
 		if err != nil {
 			log.Fatalf("%v\n", err)
 		}
-		if err := os.WriteFile(outFileName, raw, 0644); err != nil {
+		if err := os.WriteFile(outFileName, raw, 0640); err != nil {
 			log.Fatalf("%v", err)
 		}
 	case "thrift":
@@ -70,7 +70,7 @@ func main() {
 		if err != nil {
 			log.Fatalf("%v\n", err)
 		}
-		if err := os.WriteFile(outFileName, raw, 0644); err != nil {
+		if err := os.WriteFile(outFileName, raw, 0640); err != nil {
 			log.Fatalf("%v", err)
 		}
 	default:

tools/update_goversion/main.go

@@ -29,7 +29,7 @@ func (f FileInfo) Update() error {
 	re := regexp.MustCompile(f.Regex)
 	newContents := re.ReplaceAll(b, []byte(f.Replace))
 
-	err = os.WriteFile(f.FileName, newContents, 0664)
+	err = os.WriteFile(f.FileName, newContents, 0640)
 	if err != nil {
 		return err
 	}