Tighten file permissions on gocryptfs.conf

This file should only be readable by the owner and never be written to.
author: Jakob Unterwurzacher 2015-11-25 20:09:48 +0100
committer: Jakob Unterwurzacher 2015-11-25 20:57:16 +0100
commit: d8bf6e7836a22c755fa0881f89d482b5e8f47e29 (patch)
tree: 1cd33edc6b76fe8ac16db17ade9cddefa2e06166
parent: df46548be66ded2b504a5314b9496e961e9e2533 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/cryptfs/config_file.go b/cryptfs/config_file.go
index db0abf5..f258a5e 100644
--- a/cryptfs/config_file.go
+++ b/cryptfs/config_file.go
@@ -118,10 +118,12 @@ func (cf *ConfFile) EncryptKey(key []byte, password string) {
 }
 
 // WriteFile - write out config in JSON format to file "filename.tmp"
-// then rename over "filename"
+// then rename over "filename".
+// This way a password change atomically replaces the file.
 func (cf *ConfFile) WriteFile() error {
 	tmp := cf.filename + ".tmp"
-	fd, err := os.Create(tmp)
+	// 0400 permissions: gocryptfs.conf should be kept secret and never be written to.
+	fd, err := os.OpenFile(tmp, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0400)
 	if err != nil {
 		return err
 	}
author	Jakob Unterwurzacher	2015-11-25 20:09:48 +0100
committer	Jakob Unterwurzacher	2015-11-25 20:57:16 +0100
commit	d8bf6e7836a22c755fa0881f89d482b5e8f47e29 (patch)
tree	1cd33edc6b76fe8ac16db17ade9cddefa2e06166
parent	df46548be66ded2b504a5314b9496e961e9e2533 (diff)