Thomas Lamprecht <t.lampre...@proxmox.com> writes: > Am 23.07.25 um 15:00 schrieb Shannon Sterz: >> -->8 snip 8<-- >>> - PVE::Tools::file_set_contents($pwfile, "$password\n"); >>> + PVE::Tools::file_set_contents($pwfile, "$password\n", undef, 1); >> i know this is pre-existing, but i'd feel more comfortable forcing the >> permissions here rather than depending on the default behaviour. this is >> a password file after all, being explicit doesn't hurt in my opinion. > > FWIW, as this file resides in /etc/pve/priv the permissions are enforced > to 0600 by pmxcfs already, and the 0644 default from file_set_contents > would have been problematic in any case already. > > Passing 0600 explicitly here might still not hurt though, and potentially > even help, e.g. if one copies this over for some other secret that is e.g. > node local and thinks this is secure as is, not very likely, but the cost > of doing this is way to to small compared with potential impact.
v3 send at https://lore.proxmox.com/pve-devel/20250730072239.24928-1-m.sando...@proxmox.com. -- Maximiliano _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
