github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

cli: use file mode 0600 when saving a snapshot 

So that other users on the machine can not access the snapshot data.
pull/11918/head
Daniel Nephin 2021-12-23 16:34:54 -05:00
parent 0166b0839c
commit ff7f3a9737
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
command/snapshot/save/snapshot_save.go
View File

@ -5,11 +5,12 @@ import (
"fmt" "fmt"
"os" "os"
"github.com/mitchellh/cli"
"github.com/rboyer/safeio"
"github.com/hashicorp/consul/api" "github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/command/flags" "github.com/hashicorp/consul/command/flags"
"github.com/hashicorp/consul/snapshot" "github.com/hashicorp/consul/snapshot"
"github.com/mitchellh/cli"
"github.com/rboyer/safeio"
) )
func New(ui cli.Ui) *cmd { func New(ui cli.Ui) *cmd {
@ -71,7 +72,7 @@ func (c *cmd) Run(args []string) int {
// Save the file first. // Save the file first.
unverifiedFile := file + ".unverified" unverifiedFile := file + ".unverified"
if _, err := safeio.WriteToFile(snap, unverifiedFile, 0666); err != nil { if _, err := safeio.WriteToFile(snap, unverifiedFile, 0600); err != nil {
c.UI.Error(fmt.Sprintf("Error writing unverified snapshot file: %s", err)) c.UI.Error(fmt.Sprintf("Error writing unverified snapshot file: %s", err))
return 1 return 1
} }

4
command/snapshot/save/snapshot_save_test.go
View File

@ -94,6 +94,10 @@ func TestSnapshotSaveCommand(t *testing.T) {
t.Fatalf("bad: %d. %#v", code, ui.ErrorWriter.String()) t.Fatalf("bad: %d. %#v", code, ui.ErrorWriter.String())
} }
fi, err := os.Stat(file)
require.NoError(t, err)
require.Equal(t, fi.Mode(), os.FileMode(0600))
f, err := os.Open(file) f, err := os.Open(file)
if err != nil { if err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)