Am 23.07.25 um 15:00 schrieb Shannon Sterz: > -->8 snip 8<-- >> - PVE::Tools::file_set_contents($pwfile, "$password\n"); >> + PVE::Tools::file_set_contents($pwfile, "$password\n", undef, 1); > i know this is pre-existing, but i'd feel more comfortable forcing the > permissions here rather than depending on the default behaviour. this is > a password file after all, being explicit doesn't hurt in my opinion.
FWIW, as this file resides in /etc/pve/priv the permissions are enforced to 0600 by pmxcfs already, and the 0644 default from file_set_contents would have been problematic in any case already. Passing 0600 explicitly here might still not hurt though, and potentially even help, e.g. if one copies this over for some other secret that is e.g. node local and thinks this is secure as is, not very likely, but the cost of doing this is way to to small compared with potential impact. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
