Comment 13 for bug 909189

I still don't like it, there are race conditions between opening files and making them root only all over the place.
also you create tempfiles with user permissions but which are then used by root.
sudo mktemp will create files with proper permissions.

For the crontab updating I would not go to the filesystem at all, instead I would pipe in the new result via stdin:
(sudo crontab -l; echo "some new cron") | sudo crontab -

or the equivalent with python subprocess (w/o sudo)
import subprocess
curcron = subprocess.check_output(["crontab", "-l"])
# on non-debian systems you might get 3 lines of headers out of crontab -l
strip_headers(curcron)
updatecron = subprocess.Popen(["crontab", "-"], stdin = subprocess.PIPE)
updatecron.communicate(curcron+"1 0 * * * echo\n")