Merge #79

79: fix small security race r=Mic92 a=zimbatm Co-authored-by: zimbatm <zimbatm@zimbatm.com>
2024-08-16 20:00:36 +03:00 · 2023-03-29 18:05:43 +00:00 · 2023-03-29 18:05:43 +00:00 · ac1eaaf67b
commit ac1eaaf67b
parent ee5c39fcb1 eafa9cfce5
1 changed files with 5 additions and 3 deletions
--- a/terraform/nixos-rebuild/deploy.sh
+++ b/terraform/nixos-rebuild/deploy.sh
@ -21,9 +21,11 @@ sshOpts+=(-o StrictHostKeyChecking=no)

 if [[ -n ${SSH_KEY+x} && ${SSH_KEY} != "-" ]]; then
  sshPrivateKeyFile="$workDir/ssh_key"
-  trap 'rm "$sshPrivateKeyFile"' EXIT
-  echo "$SSH_KEY" >"$sshPrivateKeyFile"
-  chmod 0700 "$sshPrivateKeyFile"
+  # Create the file with 0700 - umask calculation: 777 - 700 = 077
+  (
+    umask 077
+    echo "$SSH_KEY" >"$sshPrivateKeyFile"
+  )
  unset SSH_AUTH_SOCK # don't use system agent if key was supplied
  sshOpts+=(-o "IdentityFile=${sshPrivateKeyFile}")
 fi