From a5b805f03d5add8a1750f564bebf9f6eac035ec1 Mon Sep 17 00:00:00 2001
From: ebiggers <ebiggers@google.com>
Date: Wed, 23 Oct 2019 22:18:45 -0700
Subject: actions/config: ensure config file is created with mode 0644 (#152)

If the user has set a restrictive umask, e.g. 0077, then
/etc/fscrypt.conf would be created without the world-readable bit set.
Fix it by overriding the umask when creating the file.

Resolves https://github.com/google/fscrypt/issues/151
---
 actions/config.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'actions/config.go')

diff --git a/actions/config.go b/actions/config.go
index 386edc4..7fdaf5b 100644
--- a/actions/config.go
+++ b/actions/config.go
@@ -31,6 +31,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/google/fscrypt/crypto"
+	"github.com/google/fscrypt/filesystem"
 	"github.com/google/fscrypt/metadata"
 	"github.com/google/fscrypt/util"
 )
@@ -68,7 +69,8 @@ var (
 func CreateConfigFile(target time.Duration, useLegacy bool) error {
 	// Create the config file before computing the hashing costs, so we fail
 	// immediately if the program has insufficient permissions.
-	configFile, err := os.OpenFile(ConfigFileLocation, createFlags, configPermissions)
+	configFile, err := filesystem.OpenFileOverridingUmask(ConfigFileLocation,
+		createFlags, configPermissions)
 	switch {
 	case os.IsExist(err):
 		return ErrConfigFileExists
-- 
cgit v1.2.3