cli: use file mode 0600 when saving a snapshot

So that other users on the machine can not access the snapshot data.
This commit is contained in:
Daniel Nephin 2021-12-23 16:34:54 -05:00
parent 0166b0839c
commit ff7f3a9737
2 changed files with 8 additions and 3 deletions

View File

@ -5,11 +5,12 @@ import (
"fmt"
"os"
"github.com/mitchellh/cli"
"github.com/rboyer/safeio"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/command/flags"
"github.com/hashicorp/consul/snapshot"
"github.com/mitchellh/cli"
"github.com/rboyer/safeio"
)
func New(ui cli.Ui) *cmd {
@ -71,7 +72,7 @@ func (c *cmd) Run(args []string) int {
// Save the file first.
unverifiedFile := file + ".unverified"
if _, err := safeio.WriteToFile(snap, unverifiedFile, 0666); err != nil {
if _, err := safeio.WriteToFile(snap, unverifiedFile, 0600); err != nil {
c.UI.Error(fmt.Sprintf("Error writing unverified snapshot file: %s", err))
return 1
}

View File

@ -94,6 +94,10 @@ func TestSnapshotSaveCommand(t *testing.T) {
t.Fatalf("bad: %d. %#v", code, ui.ErrorWriter.String())
}
fi, err := os.Stat(file)
require.NoError(t, err)
require.Equal(t, fi.Mode(), os.FileMode(0600))
f, err := os.Open(file)
if err != nil {
t.Fatalf("err: %v", err)