mirrors/velero
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/velero.git synced 2026-01-03 11:45:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Mounted cloud credentials should not be world-readable (#8919)

Browse Source 
Signed-off-by: Scott Seago <sseago@redhat.com>
This commit is contained in:
Scott Seago
2025-07-17 22:45:38 -04:00
committed by GitHub
parent e88fbb6fa5
commit 29a8bc4492
4 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
internal/credentials/file_store.go
View File

@@ -71,7 +71,8 @@ func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (strin
keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
// owner RW perms, group R perms, no public perms
file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0640)
if err != nil {
return "", errors.Wrap(err, "unable to open credentials file for writing")
}