From a176723b9cb38f1fd2b03e6acc7bce0192617ca9 Mon Sep 17 00:00:00 2001
From: Kim Gustyr <kim.gustyr@flagsmith.com>
Date: Wed, 12 Nov 2025 11:20:59 +0000
Subject: [PATCH 1/2] permissions are hard

---
 src/common/core/utils.py | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/src/common/core/utils.py b/src/common/core/utils.py
index c73f4d3..f30ecd7 100644
--- a/src/common/core/utils.py
+++ b/src/common/core/utils.py
@@ -208,9 +208,7 @@ def clear_directory(directory_path: str) -> None:
     """
     for p in pathlib.Path(directory_path).rglob("*"):
         try:
-            # Ensure that the cleanup doesn't silently fail on
-            # files and subdirs created by other users.
-            p.chmod(0o777)
+            p.chmod(0o700)
         except (PermissionError, FileNotFoundError):  # pragma: no cover
             pass
 
@@ -218,12 +216,4 @@ def clear_directory(directory_path: str) -> None:
 
 
 def make_writable_directory(directory_path: str) -> None:
-    os.makedirs(directory_path, exist_ok=True)
-
-    try:
-        # While `mkdir` sets mode=0o777 by default, this can be affected by umask
-        # resulting in lesser permissions for other users. This step ensures the
-        # directory is writable for all users.
-        os.chmod(directory_path, 0o777)
-    except PermissionError:  # pragma: no cover
-        pass
+    os.makedirs(directory_path, exist_ok=True, mode=0o700)

From 3292d5d8d8edeefcbf9fedeed99e94e88077ce3d Mon Sep 17 00:00:00 2001
From: Kim Gustyr <kim.gustyr@flagsmith.com>
Date: Wed, 12 Nov 2025 13:51:15 +0000
Subject: [PATCH 2/2] remove cleanup logic

---
 src/common/core/main.py             | 13 +++----------
 src/common/core/utils.py            | 19 -------------------
 tests/integration/core/test_main.py | 20 --------------------
 3 files changed, 3 insertions(+), 49 deletions(-)

diff --git a/src/common/core/main.py b/src/common/core/main.py
index 20149e3..c163806 100644
--- a/src/common/core/main.py
+++ b/src/common/core/main.py
@@ -3,15 +3,13 @@
 import os
 import sys
 import typing
-from tempfile import gettempdir
+from tempfile import mkdtemp
 
 from django.core.management import (
     execute_from_command_line as django_execute_from_command_line,
 )
 
 from common.core.cli import healthcheck
-from common.core.constants import DEFAULT_PROMETHEUS_MULTIPROC_DIR_NAME
-from common.core.utils import clear_directory, make_writable_directory
 
 logger = logging.getLogger(__name__)
 
@@ -37,13 +35,8 @@ def ensure_cli_env() -> typing.Generator[None, None, None]:
     # TODO @khvn26 Move logging setup to here
 
     # Prometheus multiproc support
-    prom_dir = os.environ.setdefault(
-        "PROMETHEUS_MULTIPROC_DIR",
-        os.path.join(gettempdir(), DEFAULT_PROMETHEUS_MULTIPROC_DIR_NAME),
-    )
-    if os.path.exists(prom_dir):
-        clear_directory(prom_dir)
-    make_writable_directory(prom_dir)
+    if not os.environ.get("PROMETHEUS_MULTIPROC_DIR"):
+        os.environ["PROMETHEUS_MULTIPROC_DIR"] = mkdtemp(prefix="flagsmith-prometheus-")
 
     # Currently we don't install Flagsmith modules as a package, so we need to add
     # $CWD to the Python path to be able to import them
diff --git a/src/common/core/utils.py b/src/common/core/utils.py
index f30ecd7..cf747ab 100644
--- a/src/common/core/utils.py
+++ b/src/common/core/utils.py
@@ -1,9 +1,7 @@
 import json
 import logging
-import os
 import pathlib
 import random
-import shutil
 from functools import lru_cache
 from itertools import cycle
 from typing import (
@@ -200,20 +198,3 @@ def using_database_replica(
         return manager
 
     return manager.db_manager(chosen_replica)
-
-
-def clear_directory(directory_path: str) -> None:
-    """
-    Safely clear a directory including all subdirectories and files.
-    """
-    for p in pathlib.Path(directory_path).rglob("*"):
-        try:
-            p.chmod(0o700)
-        except (PermissionError, FileNotFoundError):  # pragma: no cover
-            pass
-
-    shutil.rmtree(directory_path, ignore_errors=True)
-
-
-def make_writable_directory(directory_path: str) -> None:
-    os.makedirs(directory_path, exist_ok=True, mode=0o700)
diff --git a/tests/integration/core/test_main.py b/tests/integration/core/test_main.py
index 4a248f5..fbe5885 100644
--- a/tests/integration/core/test_main.py
+++ b/tests/integration/core/test_main.py
@@ -3,7 +3,6 @@
 import django
 import pytest
 from django.core.management import ManagementUtility
-from pyfakefs.fake_filesystem import FakeFilesystem
 from pytest_httpserver import HTTPServer
 
 from common.core.main import main
@@ -109,25 +108,6 @@ def test_main__healthcheck_http__server_invalid_response__runs_expected(
         main(argv)
 
 
-def test_main__prometheus_multiproc_remove_dir_on_start_default__expected(
-    monkeypatch: pytest.MonkeyPatch,
-    fs: FakeFilesystem,
-) -> None:
-    # Given
-    monkeypatch.delenv("PROMETHEUS_MULTIPROC_DIR_KEEP", raising=False)
-
-    fs.create_file(
-        "/tmp/flagsmith-prometheus/some_metric_file.db",
-        create_missing_dirs=True,
-    )
-
-    # When
-    main(["flagsmith"])
-
-    # Then
-    assert not fs.exists("/tmp/flagsmith-prometheus/some_metric_file.db")
-
-
 def test_main__no_django_configured__expected_0(
     monkeypatch: pytest.MonkeyPatch,
 ) -> None: