enforce permissions 0600 on sensitive files

ivandeex · Jan 17, 2022 · f4711c9 · f4711c9
1 parent 64d9f2f
commit f4711c9
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 8 deletions.
diff --git a/git/list.go b/git/list.go
@@ -41,12 +41,7 @@ func (a *action) chmodFiles(files []string) error {
 	}
 	for _, path := range files {
 		path = a.toAbsPath(path)
-		fi, err := os.Stat(path)
-		if err != nil {
-			return err
-		}
-		mode := fi.Mode() & 0770 // disable "other" access
-		if err = os.Chmod(path, mode); err != nil {
+		if err = os.Chmod(path, permSecret); err != nil {
 			return err
 		}
 	}
@@ -77,7 +72,7 @@ func (a *action) smudgeFiles(files []string) error {
 			err = os.Remove(path)
 		}
 		if err == nil {
-			err = ioutil.WriteFile(path, output, 0644) // FIXME 0640
+			err = ioutil.WriteFile(path, output, permSecret)
 		}
 		if err != nil {
 			return err

diff --git a/git/repo.go b/git/repo.go
@@ -120,7 +120,7 @@ func (a *action) setupRepo(force bool, probeFile, probeText string) error {
 		return err
 	}
 
-	if err = os.Chmod(a.dotGit("config"), 0600); err != nil {
+	if err = os.Chmod(a.dotGit("config"), permSecret); err != nil {
 		return err
 	}
 

diff --git a/git/util.go b/git/util.go
@@ -17,6 +17,8 @@ import (
 	"go.mozilla.org/sops/v3/cmd/sops/common"
 )
 
+const permSecret = 0600
+
 var errInvalidAgeRecs = errors.New("invalid or absent encryption password")
 
 func getInput(path string, stdin bool) (data []byte, err error) {