From d8bf6e7836a22c755fa0881f89d482b5e8f47e29 Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Wed, 25 Nov 2015 20:09:48 +0100 Subject: [PATCH] Tighten file permissions on gocryptfs.conf This file should only be readable by the owner and never be written to. --- cryptfs/config_file.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cryptfs/config_file.go b/cryptfs/config_file.go index db0abf5..f258a5e 100644 --- a/cryptfs/config_file.go +++ b/cryptfs/config_file.go @@ -118,10 +118,12 @@ func (cf *ConfFile) EncryptKey(key []byte, password string) { } // WriteFile - write out config in JSON format to file "filename.tmp" -// then rename over "filename" +// then rename over "filename". +// This way a password change atomically replaces the file. func (cf *ConfFile) WriteFile() error { tmp := cf.filename + ".tmp" - fd, err := os.Create(tmp) + // 0400 permissions: gocryptfs.conf should be kept secret and never be written to. + fd, err := os.OpenFile(tmp, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0400) if err != nil { return err }