From 21346f84acf484833b7bc90d2b63e5d9bf31424d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 22 Jul 2024 17:21:57 +0200 Subject: [PATCH] password-store: write secrets with read-only permission Otherwise we are installing secrets with the wrong permissions on the first install --- pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py index c804456f3..4b748da84 100644 --- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py +++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py @@ -113,5 +113,7 @@ class SecretStore(SecretStoreBase): else: # TODO: drop old format soon secret_name = secret - (output_dir / secret_name).write_bytes(self.get(service, secret_name)) + with (output_dir / secret_name).open("wb") as f: + f.chmod(0o600) + f.write(self.get(service, secret_name)) (output_dir / ".pass_info").write_bytes(self.generate_hash())