Restrict file permissions for config file/dir

Velero client config file should have restricted file permissions to be read/write-able for the user that creates it--similiar to files like `.ssh/id_rsa` Refer to OTG-CONFIG-009: Test File Permission > Impoper file permission configuration may result in privilledge escalation, information explousure, DLL injection, or unauthorized file access. Therefore, files permission must be properly configured with minium access permission by default. [source](https://www.owasp.org/index.php/Test_File_Permission_(OTG-CONFIG-009)) Ticket: #1758 Signed-off-by: John Naulty <johnnaulty@bitgo.com>
2026-01-06 13:26:26 +00:00 · 2020-01-14 16:47:13 -08:00
parent b2acd3b683
commit 254a5eebb5
1 changed files with 2 additions and 2 deletions
--- a/pkg/client/config.go
+++ b/pkg/client/config.go
@@ -69,11 +69,11 @@ func SaveConfig(config VeleroConfig) error {

 	// Try to make the directory in case it doesn't exist
 	dir := filepath.Dir(fileName)
-	if err := os.MkdirAll(dir, 0755); err != nil {
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		return errors.WithStack(err)
 	}

-	configFile, err := os.OpenFile(fileName, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0755)
+	configFile, err := os.OpenFile(fileName, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
 	if err != nil {
 		return errors.WithStack(err)
 	}