From f0098064091597bb66d251f1fa91217b4cebf43e Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Thu, 8 Sep 2016 14:39:27 +0200 Subject: [PATCH] MT#22567 Create /etc/ngcp-config-crypted.tgz* files with more restrict file permissions The file should be accessible only to user root. Also don't leave the unencrypted file /etc/ngcp-config-crypted.tgz around. Change-Id: I82f7f36d8561d8d5e82435edb70e11170fa6c082 --- scripts/decrypt | 3 +++ scripts/encrypt | 11 +++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/scripts/decrypt b/scripts/decrypt index 2fff1822..49a67b9c 100755 --- a/scripts/decrypt +++ b/scripts/decrypt @@ -66,6 +66,9 @@ fi RC=0 TARGZ=/etc/ngcp-config-crypted.tgz +# ensure created files can be read by root only +umask 066 + if ! gpg -d "$TARGZ".gpg > "$TARGZ" ; then log_error "Error while decrypting ${TARGZ}.gpg" RC=1 diff --git a/scripts/encrypt b/scripts/encrypt index 13db5a5a..ba414225 100755 --- a/scripts/encrypt +++ b/scripts/encrypt @@ -41,6 +41,9 @@ if ! type -p gpg &>/dev/null ; then exit 1 fi +# ensure created files can be read by root only +umask 066 + RC=0 TARGZ=/etc/ngcp-config-crypted.tgz FILES=$(get_config_file_list) @@ -48,9 +51,13 @@ FILES=$(get_config_file_list) tar zcf "$TARGZ" /etc/ngcp-config/ $FILES /etc/.git if gpg --symmetric "$TARGZ" ; then log_info "Successfully created crypted ngcpcfg configuration archive ${TARGZ}.gpg" + # ensure we don't leave the unencrypted version behind + rm -f "${TARGZ}" else - log_error "Error while setting up $TARGZ" - RC=1 + log_error "Error while setting up ${TARGZ}.gpg" + # ensure we don't leave the unencrypted version behind + rm -f "${TARGZ}" + exit 1 fi log_info_n "Now really erase all configuration files managed by ngcpcfg? [y/N] "