diff options
author | Jakob Unterwurzacher | 2015-11-25 20:09:48 +0100 |
---|---|---|
committer | Jakob Unterwurzacher | 2015-11-25 20:57:16 +0100 |
commit | d8bf6e7836a22c755fa0881f89d482b5e8f47e29 (patch) | |
tree | 1cd33edc6b76fe8ac16db17ade9cddefa2e06166 | |
parent | df46548be66ded2b504a5314b9496e961e9e2533 (diff) |
Tighten file permissions on gocryptfs.conf
This file should only be readable by the owner and never be written to.
-rw-r--r-- | cryptfs/config_file.go | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/cryptfs/config_file.go b/cryptfs/config_file.go index db0abf5..f258a5e 100644 --- a/cryptfs/config_file.go +++ b/cryptfs/config_file.go @@ -118,10 +118,12 @@ func (cf *ConfFile) EncryptKey(key []byte, password string) { } // WriteFile - write out config in JSON format to file "filename.tmp" -// then rename over "filename" +// then rename over "filename". +// This way a password change atomically replaces the file. func (cf *ConfFile) WriteFile() error { tmp := cf.filename + ".tmp" - fd, err := os.Create(tmp) + // 0400 permissions: gocryptfs.conf should be kept secret and never be written to. + fd, err := os.OpenFile(tmp, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0400) if err != nil { return err } |