From a5b805f03d5add8a1750f564bebf9f6eac035ec1 Mon Sep 17 00:00:00 2001
From: ebiggers <ebiggers@google.com>
Date: Wed, 23 Oct 2019 22:18:45 -0700
Subject: actions/config: ensure config file is created with mode 0644 (#152)

If the user has set a restrictive umask, e.g. 0077, then
/etc/fscrypt.conf would be created without the world-readable bit set.
Fix it by overriding the umask when creating the file.

Resolves https://github.com/google/fscrypt/issues/151
---
 filesystem/path.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'filesystem/path.go')

diff --git a/filesystem/path.go b/filesystem/path.go
index 5fd3fdf..cfc3dc0 100644
--- a/filesystem/path.go
+++ b/filesystem/path.go
@@ -24,9 +24,19 @@ import (
 	"os"
 	"path/filepath"
 
+	"golang.org/x/sys/unix"
+
 	"github.com/pkg/errors"
 )
 
+// OpenFileOverridingUmask calls os.OpenFile but with the umask overridden so
+// that no permission bits are masked out if the file is created.
+func OpenFileOverridingUmask(name string, flag int, perm os.FileMode) (*os.File, error) {
+	oldMask := unix.Umask(0)
+	defer unix.Umask(oldMask)
+	return os.OpenFile(name, flag, perm)
+}
+
 // We only check the unix permissions and the sticky bit
 const permMask = os.ModeSticky | os.ModePerm
 
-- 
cgit v1.2.3