Don't allow other users to read config files

This change is a security fix that prevents other users on the system from being able to read configuration files created as part of OpAMP remote configuration management. Signed-off-by: Eric Chlebek <[email protected]>
SumoLogic · Jan 5, 2024 · 65710a9 · 65710a9
1 parent ca0839d
commit 65710a9
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/.changelog/1386.fixed.txt b/.changelog/1386.fixed.txt
@@ -0,0 +1 @@
+sec: don't allow other users to read configuration files
diff --git a/pkg/extension/opampextension/opamp_agent.go b/pkg/extension/opampextension/opamp_agent.go
@@ -374,7 +374,8 @@ func (o *opampAgent) saveEffectiveConfig(dir string) error {
 	for k, v := range o.effectiveConfig {
 		p := filepath.Join(dir, k)
 
-		f, err := os.Create(p)
+		// OpenFile the same way os.Create does it, but with 0600 perms
+		f, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 		if err != nil {
 			return err
 		}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		sec: don't allow other users to read configuration files