umask is inverted

[ryantm]

pennae ryantm: since we see you, i think you inverted the umask in agenix by accident
ryantm pennae: Are you talking about

agenix/modules/age.nix

Line 22 in 8652eb6

(umask 0400; LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")

?
pennae yeah
ryantm pennae: Could you be more specific what you mean about "inverted"?
pennae as it stands it'll clear the owner-read bit and leave all others untouched either we can't brain right now or you probably meant 0177
ryantm pennae: I think you're right; thanks for letting me know. I'll look into fixing it.
pennae also there might be a bug with a root secret "something.tmp" and a non-root secret "something" that'll delete the root secret? not sure about that tho

[asymmetric]

umask supports symbolic arguments, which are IMO more intuitive: umask u=r would be equivalent to umask 0377, IIUC.

[pennae]

that's not entirely portable across shells though, eg on bash umask u=r seems to completely recalculate the umask while busybox ash only modifies the current umask with the given modifiers. this could be a problem since the activation script starts out with umask 0022.

[asymmetric]

I’m fine with using numeric values, but we control the shell this script executes with (bash), so portability should not be an issue.

EDIT: or can system.activationScripts be executed with other shells?

[pennae]

activation scripts run under pkgs.runtimeShell, which can theoretically be overridden (and we think someone on irc said they do).

that said, umask u=r,g=,o= should be portable across them all