mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-15 17:50:51 +00:00
Code Activity

Merge pull request #97 from Mic92/fix-permissions

Browse source 
allow non-key group users to access /run/secrets
This commit is contained in:
Jörg Thalheim 2021-06-05 19:51:02 +02:00 committed by GitHub
commit 7918c59b39
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pkgs/sops-install-secrets/main.go
View file

@ -254,7 +254,7 @@ func decryptSecrets(secrets []secret) error {
const RAMFS_MAGIC int32 = -2054924042
func mountSecretFs(mountpoint string, keysGid int) error {
if err := os.MkdirAll(mountpoint, 0750); err != nil {
if err := os.MkdirAll(mountpoint, 0751); err != nil {
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
}
@ -263,7 +263,7 @@ func mountSecretFs(mountpoint string, keysGid int) error {
return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
}
if int32(buf.Type) != RAMFS_MAGIC {
if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0750"); err != nil {
if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
return fmt.Errorf("Cannot mount: %s", err)
}
}
@ -296,7 +296,7 @@ func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int) (*
return nil, fmt.Errorf("Cannot remove existing %s: %w", dir, err)
}
}
if err := os.Mkdir(dir, os.FileMode(0750)); err != nil {
if err := os.Mkdir(dir, os.FileMode(0751)); err != nil {
return nil, fmt.Errorf("mkdir(): %w", err)
}
if err := os.Chown(dir, 0, int(keysGid)); err != nil {