From 82b38083d259aa6f82130b87ec30fb8fcb14f632 Mon Sep 17 00:00:00 2001
From: Eric Chlebek <eric@sensu.io>
Date: Fri, 5 Jan 2024 10:31:54 -0800
Subject: [PATCH] Don't allow other users to read config files

This change is a security fix that prevents other users on the system
from being able to read configuration files created as part of OpAMP
remote configuration management.

Signed-off-by: Eric Chlebek <eric@sensu.io>
---
 .changelog/1408.fixed.txt                   | 1 +
 pkg/extension/opampextension/opamp_agent.go | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/1408.fixed.txt

diff --git a/.changelog/1408.fixed.txt b/.changelog/1408.fixed.txt
new file mode 100644
index 0000000000..6a4c11a6dc
--- /dev/null
+++ b/.changelog/1408.fixed.txt
@@ -0,0 +1 @@
+sec: don't allow other users to read configuration files
diff --git a/pkg/extension/opampextension/opamp_agent.go b/pkg/extension/opampextension/opamp_agent.go
index 38a1c8640e..b41482e4bf 100644
--- a/pkg/extension/opampextension/opamp_agent.go
+++ b/pkg/extension/opampextension/opamp_agent.go
@@ -374,7 +374,8 @@ func (o *opampAgent) saveEffectiveConfig(dir string) error {
 	for k, v := range o.effectiveConfig {
 		p := filepath.Join(dir, k)
 
-		f, err := os.Create(p)
+		// OpenFile the same way os.Create does it, but with 0600 perms
+		f, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 		if err != nil {
 			return err
 		}