Write ContextCache atomically with owner-only file and directory mode

[co-cy]

What does this PR do?

salt.utils.cache.ContextCache.cache_context opens the cache file through salt.utils.files.fopen(self.cache_path, "w+b") and lets the process umask pick the file mode; the parent directory is created via plain os.mkdir() with no mode argument. On default Linux installs the file ends up 0o644 (world-readable) inside a 0o755 directory.

The cache holds pillar context — pillar values plus surrounding state, including credentials sourced from external pillar backends (vault, git_pillar, consul). With the default modes any local user can:

• ls /var/cache/salt/master/context/ → see filenames like salt.loaded.ext.pillar.vault.p, salt.loaded.ext.pillar.git_pillar.p — leaks which external-pillar backends and modules are in use;
• cat <file> → read the credentials directly.

A separate but related rough edge: the same code path rewrites the cache in place via "w+b" mode, which truncates the file before writing back. A concurrent reader can observe a half-written file and fail to deserialize.

This PR makes two changes:

1. The file write goes through tempfile.mkstemp + os.replace. mkstemp creates the temporary file with mode 0o600 by default (per its documented contract: "the file is readable and writable only by the creating user ID"); os.replace atomically renames it into place. The final cache file therefore has the correct mode from the first byte, and concurrent readers never see a partial write.
2. The parent context/ directory is created with mode=stat.S_IRWXU (0o700).

What issues does this PR fix or reference?

Fixes #69069

Previous Behavior

def cache_context(self, context):
    if not os.path.isdir(os.path.dirname(self.cache_path)):
        os.mkdir(os.path.dirname(self.cache_path))     # 0o755 on default umask
    with salt.utils.files.fopen(self.cache_path, "w+b") as cache:
        salt.payload.dump(context, cache)              # 0o644 on default umask

$ ls -ld /var/cache/salt/master/context/
drwxr-xr-x 2 salt salt  context/
$ ls -l /var/cache/salt/master/context/*.p
-rw-r--r-- 1 salt salt  jinja2.p

New Behavior

def cache_context(self, context):
    parent = os.path.dirname(self.cache_path)
    if not os.path.isdir(parent):
        os.mkdir(parent, mode=stat.S_IRWXU)            # 0o700
    fd, tmp_path = tempfile.mkstemp(dir=parent, prefix=".tmp_")
    try:
        with os.fdopen(fd, "wb") as cache:
            salt.payload.dump(context, cache)
        os.replace(tmp_path, self.cache_path)          # atomic, inherits mkstemp's 0o600
    except BaseException:
        with contextlib.suppress(OSError):
            os.unlink(tmp_path)
        raise

$ ls -ld /var/cache/salt/master/context/
drwx------ 2 salt salt  context/
$ ls -l /var/cache/salt/master/context/*.p
-rw------- 1 salt salt  jinja2.p

Migration note

Existing context/ directories from earlier installs are left untouched — auto-changing their mode would be surprising (some operators may have deliberately set them differently for monitoring tools). On upgrade, operators can run chmod 0700 on their cache context directory once. New installs and freshly-created directories get the right mode automatically.

Crash-safety note

If the process is killed (SIGKILL / OOM / power loss) between mkstemp and os.replace, the .tmp_* file remains on disk. It is mode 0o600 so this is operational hygiene rather than a security issue; operators can clean stale temporaries with find <cachedir>/context/ -name '.tmp_*' -mtime +1 -delete.

Merge requirements satisfied?

• Docs (no user-facing config or API change; not required)
• Changelog — changelog/69069.fixed.md
• Tests written/updated — see tests/pytests/unit/utils/test_cache.py:
  • test_cache_context_writes_with_owner_only_mode — file is 0o600.
  • test_cache_context_creates_parent_directory_with_owner_only_mode — parent is 0o700.
  • test_cache_context_overwrites_atomically_via_replace — successive writes use distinct inodes (proves atomic rename rather than in-place truncate).

Commits signed with GPG?

No.