From 84041b5d449ca22b53d9457ae7e10cba31ae13c7 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 27 Aug 2021 15:49:01 -0400
Subject: [PATCH] main: Write output ignition files with mode 0600

Because the config is commonly expected to have secret values, use mode 0600.
xref https://github.com/coreos/fedora-coreos-docs/issues/306
---
 internal/main.go |  4 +++-
 test             | 17 +++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/internal/main.go b/internal/main.go
index 75086a6d..ff26b99c 100644
--- a/internal/main.go
+++ b/internal/main.go
@@ -102,7 +102,9 @@ func main() {
 
 	if output != "" {
 		var err error
-		outfile, err = os.OpenFile(output, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+		// Because the config is commonly expected to have secret values, use mode 0600.
+		// xref https://github.com/coreos/fedora-coreos-docs/issues/306
+		outfile, err = os.OpenFile(output, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 		if err != nil {
 			fail("failed to open %s: %v\n", output, err)
 		}
diff --git a/test b/test
index a8b76cdd..ae7e2f89 100755
--- a/test
+++ b/test
@@ -29,6 +29,23 @@ trap 'rm -r tmpdocs' EXIT
 mkdir -p tmpdocs/files-dir/tree
 touch tmpdocs/files-dir/{config.ign,ca.pem,file,file-epilogue,local-file3}
 
+tmpd=$(mktemp -d)
+${BIN_PATH}/${NAME} --strict --output ${tmpd}/foo.ign << 'EOF'
+variant: fcos
+version: 1.1.0
+storage:
+  files:
+    - path: /etc/somesecret
+      mode: 0600
+      contents:
+        source: https://example.com/etc/somesecret
+EOF
+m=$(stat -c '%a' ${tmpd}/foo.ign)
+if test "${m}" != 600; then
+	echo "Unexpected ignition mode: ${m}" 1>&2
+	exit 1
+fi
+
 for doc in docs/*md
 do
 	echo "Checking $doc"