From 254a5eebb58f5ebdf13049036ec59aba5d9f2290 Mon Sep 17 00:00:00 2001
From: John Naulty <johnnaulty@bitgo.com>
Date: Tue, 14 Jan 2020 16:47:13 -0800
Subject: [PATCH] Restrict file permissions for config file/dir

Velero client config file should have restricted file permissions to be
read/write-able for the user that creates it--similiar to files like
`.ssh/id_rsa`

Refer to OTG-CONFIG-009: Test File Permission
> Impoper file permission configuration may result in privilledge
escalation, information explousure, DLL injection, or unauthorized file
access.
Therefore, files permission must be properly configured with minium
access permission by default.

[source](https://www.owasp.org/index.php/Test_File_Permission_(OTG-CONFIG-009))

Ticket: #1758
Signed-off-by: John Naulty <johnnaulty@bitgo.com>
---
 pkg/client/config.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/client/config.go b/pkg/client/config.go
index fb71b788e..9a943311d 100644
--- a/pkg/client/config.go
+++ b/pkg/client/config.go
@@ -69,11 +69,11 @@ func SaveConfig(config VeleroConfig) error {
 
 	// Try to make the directory in case it doesn't exist
 	dir := filepath.Dir(fileName)
-	if err := os.MkdirAll(dir, 0755); err != nil {
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		return errors.WithStack(err)
 	}
 
-	configFile, err := os.OpenFile(fileName, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0755)
+	configFile, err := os.OpenFile(fileName, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
 	if err != nil {
 		return errors.WithStack(err)
 	}