From bc182032eb4a1cbae573c9f09bdd9f8338b20d23 Mon Sep 17 00:00:00 2001 From: Levente Polyak Date: Wed, 5 Apr 2023 22:58:49 +0200 Subject: config: fixup file permissions to be more strict Normally the default in Arch is that all home directories are private. However, this may have been changed locally. To make sure we never expose secrets, lets use a umask of 0077 when writing the config. Additionally add some temporary fixup code to migrate the file and directory permissions of already existing paths. Signed-off-by: Levente Polyak --- src/lib/config.sh | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/lib/config.sh b/src/lib/config.sh index ba6532e..b09479a 100644 --- a/src/lib/config.sh +++ b/src/lib/config.sh @@ -14,6 +14,13 @@ readonly XDG_DEVTOOLS_GITLAB_CONFIG="${XDG_DEVTOOLS_DIR}/gitlab.conf" export GITLAB_TOKEN="" load_devtools_config() { + # temporary permission fixup + if [[ -d "${XDG_DEVTOOLS_DIR}" ]]; then + chmod 700 "${XDG_DEVTOOLS_DIR}" + fi + if [[ -f "${XDG_DEVTOOLS_GITLAB_CONFIG}" ]]; then + chmod 600 "${XDG_DEVTOOLS_GITLAB_CONFIG}" + fi if [[ -n "${DEVTOOLS_GITLAB_TOKEN}" ]]; then GITLAB_TOKEN="${DEVTOOLS_GITLAB_TOKEN}" return @@ -26,6 +33,16 @@ load_devtools_config() { } save_devtools_config() { - mkdir -p "${XDG_DEVTOOLS_DIR}" - printf 'GITLAB_TOKEN="%s"\n' "${GITLAB_TOKEN}" > "${XDG_DEVTOOLS_GITLAB_CONFIG}" + # temporary permission fixup + if [[ -d "${XDG_DEVTOOLS_DIR}" ]]; then + chmod 700 "${XDG_DEVTOOLS_DIR}" + fi + if [[ -f "${XDG_DEVTOOLS_GITLAB_CONFIG}" ]]; then + chmod 600 "${XDG_DEVTOOLS_GITLAB_CONFIG}" + fi + ( + umask 0077 + mkdir -p "${XDG_DEVTOOLS_DIR}" + printf 'GITLAB_TOKEN="%s"\n' "${GITLAB_TOKEN}" > "${XDG_DEVTOOLS_GITLAB_CONFIG}" + ) } -- cgit v1.2.3-70-g09d2