mpuppe/secrets
1
0
Fork 0
mirror of https://codeberg.org/puppe/secrets.git synced 2025-12-20 00:42:17 +01:00
Code Issues Projects Releases Packages Wiki Activity

Create and set permissions of files atomically

Browse source 
Apparently it is not safe to first create a file with touch and then set
permissions with chmod. An unprivileged user could open the file in
between. See
https://github.com/NixOS/nixpkgs/pull/60138#discussion_r623971755.
This commit is contained in:
Martin Puppe 2021-10-02 00:24:14 +02:00
parent fb34a0834c
commit 698fc0c6d3
1 changed files with 2 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

7
secrets
View file

@ -91,16 +91,13 @@ echo "!*data" >&2
read basedir read basedir
if test ! -d "$basedir"; then if test ! -d "$basedir"; then
mkdir "$basedir" install -o root -g root -m 755 -d "$basedir"
chown root:root "$basedir"
chmod 755 "$basedir"
fi fi
rm -rf "$basedir"/* rm -rf "$basedir"/*
while read name; do while read name; do
fullpath="$basedir/$name" fullpath="$basedir/$name"
touch "$fullpath" install -o root -g root -m 600 /dev/null "$fullpath"
chmod 600 "$fullpath"
read size read size
head --bytes="$size" - > "$fullpath" head --bytes="$size" - > "$fullpath"
read owner read owner