Fix permissions of backup secret according to Josh's comment at

https://github.com/mail-in-a-box/mailinabox/pull/150#issuecomment-53120156

Fix permissions of backup secret according to Josh's comment at
https://github.com/mail-in-a-box/mailinabox/pull/150#issuecomment-53120156
ee955273 · Helmuth Gronewold · a68fd642 · ee955273 · ee955273
Commit ee955273 authored Aug 22, 2014 by Helmuth Gronewold
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

management.sh setup/management.sh +1 -3

migrate.py setup/migrate.py +4 -0

No files found.
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -8,10 +8,8 @@ hide_output pip3 install rtyaml
 # Create a backup directory and a random key for encrypting backups.
 mkdir -p $STORAGE_ROOT/backup
 if [ ! -f $STORAGE_ROOT/backup/secret_key.txt ]; then
-	openssl rand -base64 2048 > $STORAGE_ROOT/backup/secret_key.txt
+	$(umask 077; openssl rand -base64 2048 > $STORAGE_ROOT/backup/secret_key.txt)
 fi
-# The secret key to encrypt backups should not be world readable.
-chmod 0600 $STORAGE_ROOT/backup/secret_key.txt

 # Link the management server daemon into a well known location.
 rm -f /usr/local/bin/mailinabox-daemon

--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -56,6 +56,10 @@ def migration_4(env):
 	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
 	shell("check_call", ["sqlite3", db, "ALTER TABLE users ADD privileges TEXT NOT NULL DEFAULT ''"])

+def migration_5(env):
+        # The secret key for encrypting backups was world readable. Fix here.
+        os.chmod(os.path.join(env["STORAGE_ROOT"], 'backup/secret_key.txt'), 600)
+
 def get_current_migration():
 	ver = 0
 	while True: