make file permissions on credentials more strict

The automatically generated credential files should only be readable by the current user (instead of everyone). While this is currently not enforced by the aws cli or git, more and more tools do not accept credential files with incorrect permissions any longer (e.g. ssh, wireguard). As kas-home is created with chmod 0700, everything below it is already safe even if the permissions inside are a bit too loose. So this addresses no security issue. Proposed-by: Quirin Gylstorff <[email protected]> Signed-off-by: Felix Moessbauer <[email protected]> Signed-off-by: Jan Kiszka <[email protected]>
siemens · Mar 19, 2024 · dd44256 · dd44256
1 parent c4768c4
commit dd44256
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/kas/libcmds.py b/kas/libcmds.py
@@ -247,9 +247,11 @@ def _setup_gitconfig(self):
             config.write()
 
     def execute(self, ctx):
+        def_umask = os.umask(0o077)
         self._setup_netrc()
         self._setup_gitconfig()
         self._setup_aws_creds()
+        os.umask(def_umask)
 
         ctx.environ['HOME'] = self.tmpdirname