From 698fc0c6d3644054434d1e7ebfc75505f1998311 Mon Sep 17 00:00:00 2001
From: Martin Puppe <dev@mpuppe.de>
Date: Sat, 2 Oct 2021 00:24:14 +0200
Subject: [PATCH] Create and set permissions of files atomically

Apparently it is not safe to first create a file with touch and then set
permissions with chmod. An unprivileged user could open the file in
between. See
https://github.com/NixOS/nixpkgs/pull/60138#discussion_r623971755.
---
 secrets | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/secrets b/secrets
index dace9b5..33fb326 100755
--- a/secrets
+++ b/secrets
@@ -91,16 +91,13 @@ echo "!*data" >&2
 
 read basedir
 if test ! -d "$basedir"; then
-    mkdir "$basedir"
-    chown root:root "$basedir"
-    chmod 755 "$basedir"
+    install -o root -g root -m 755 -d "$basedir"
 fi
 rm -rf "$basedir"/*
 
 while read name; do
     fullpath="$basedir/$name"
-    touch "$fullpath"
-    chmod 600 "$fullpath"
+    install -o root -g root -m 600 /dev/null "$fullpath"
     read size
     head --bytes="$size" - > "$fullpath"
     read owner