bmx should write sensitive files as 0600 (#43)

rtkwlf · Aug 18, 2021 · b3b7fdf · b3b7fdf
1 parent be0ad19
commit b3b7fdf
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/saml/identityProviders/okta/file/oktaSession.go b/saml/identityProviders/okta/file/oktaSession.go
@@ -68,7 +68,7 @@ func writeSessionFile(json []byte) error {
 	if _, err := os.Stat(bmxHome); os.IsNotExist(err) {
 		os.MkdirAll(bmxHome, os.ModeDir|os.ModePerm)
 	}
-	err := ioutil.WriteFile(sessionsFilePath(), json, 0644)
+	err := ioutil.WriteFile(sessionsFilePath(), json, 0600)
 	return err
 }
 

diff --git a/write.go b/write.go
@@ -93,14 +93,23 @@ func resolvePath(path string) string {
 }
 
 func writeToAwsCredentials(credentials *sts.Credentials, profile string, path string) {
-	os.OpenFile(path, os.O_RDONLY|os.O_CREATE, 0666)
-
+	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE, 0600)
+	if err != nil {
+		log.Fatal(err)
+	}
 	cfg, err := ini.Load(path)
 	if err != nil {
 		log.Fatal(err)
 	}
 	cfg.Section(profile).Key("aws_access_key_id").SetValue(*credentials.AccessKeyId)
 	cfg.Section(profile).Key("aws_secret_access_key").SetValue(*credentials.SecretAccessKey)
 	cfg.Section(profile).Key("aws_session_token").SetValue(*credentials.SessionToken)
-	cfg.SaveTo(path)
+	_, err = cfg.WriteTo(f)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := f.Close(); err != nil {
+		log.Fatal(err)
+	}
 }