From dd442562b91bbc41d590bb1b43a5434cdc50dbf1 Mon Sep 17 00:00:00 2001
From: Felix Moessbauer <felix.moessbauer@siemens.com>
Date: Mon, 18 Mar 2024 15:05:17 +0100
Subject: [PATCH] make file permissions on credentials more strict

The automatically generated credential files should only be readable by
the current user (instead of everyone). While this is currently not
enforced by the aws cli or git, more and more tools do not accept
credential files with incorrect permissions any longer (e.g. ssh,
wireguard).

As kas-home is created with chmod 0700, everything below it is already
safe even if the permissions inside are a bit too loose. So this
addresses no security issue.

Proposed-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas/libcmds.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kas/libcmds.py b/kas/libcmds.py
index 3f29412b..b64d186a 100644
--- a/kas/libcmds.py
+++ b/kas/libcmds.py
@@ -247,9 +247,11 @@ def _setup_gitconfig(self):
             config.write()
 
     def execute(self, ctx):
+        def_umask = os.umask(0o077)
         self._setup_netrc()
         self._setup_gitconfig()
         self._setup_aws_creds()
+        os.umask(def_umask)
 
         ctx.environ['HOME'] = self.tmpdirname