MT#22567 Create /etc/ngcp-config-crypted.tgz* files with more restrict file permissions

The file should be accessible only to user root. Also don't leave the unencrypted file /etc/ngcp-config-crypted.tgz around. Change-Id: I82f7f36d8561d8d5e82435edb70e11170fa6c082
10 years ago · f009806409
parent 089cfa6b6e
commit f009806409
2 changed files with 12 additions and 2 deletions
--- a/scripts/decrypt
+++ b/scripts/decrypt
@ -66,6 +66,9 @@ fi
 RC=0
 TARGZ=/etc/ngcp-config-crypted.tgz

+# ensure created files can be read by root only
+umask 066
+
 if ! gpg -d "$TARGZ".gpg > "$TARGZ" ; then
  log_error "Error while decrypting ${TARGZ}.gpg"
  RC=1
--- a/scripts/encrypt
+++ b/scripts/encrypt
@ -41,6 +41,9 @@ if ! type -p gpg &>/dev/null ; then
  exit 1
 fi

+# ensure created files can be read by root only
+umask 066
+
 RC=0
 TARGZ=/etc/ngcp-config-crypted.tgz
 FILES=$(get_config_file_list)
@ -48,9 +51,13 @@ FILES=$(get_config_file_list)
 tar zcf "$TARGZ" /etc/ngcp-config/ $FILES /etc/.git
 if gpg --symmetric "$TARGZ" ; then
  log_info "Successfully created crypted ngcpcfg configuration archive ${TARGZ}.gpg"
+  # ensure we don't leave the unencrypted version behind
+  rm -f "${TARGZ}"
 else
-  log_error "Error while setting up $TARGZ"
-  RC=1
+  log_error "Error while setting up ${TARGZ}.gpg"
+  # ensure we don't leave the unencrypted version behind
+  rm -f "${TARGZ}"
+  exit 1
 fi

 log_info_n "Now really erase all configuration files managed by ngcpcfg? [y/N] "