Tweak permissions on various created files

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
fluxcd · Nov 3, 2023 · 1f89780 · 1f89780
1 parent 4f8c0cc
commit 1f89780
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 9 deletions.
diff --git a/internal/controller/kustomization_fuzzer_test.go b/internal/controller/kustomization_fuzzer_test.go
@@ -364,7 +364,7 @@ func createFiles(f *fuzz.ConsumeFuzzer, rootDir string) error {
 			continue // some errors here are not permanent, so we can try again with different values
 		}
 
-		err = os.MkdirAll(dirPath, 0o755)
+		err = os.MkdirAll(dirPath, 0o750)
 		if err != nil {
 			if noOfCreatedFiles > 0 {
 				return nil
@@ -433,7 +433,7 @@ func ensureDependencies() error {
 	// as it is being consumed directly from the embed.FS.
 	embedDirs := []string{"testdata/crd"}
 	for _, dir := range embedDirs {
-		err := os.MkdirAll(dir, 0o755)
+		err := os.MkdirAll(dir, 0o750)
 		if err != nil {
 			return fmt.Errorf("mkdir %s: %v", dir, err)
 		}
@@ -452,7 +452,7 @@ func ensureDependencies() error {
 				return fmt.Errorf("reading embedded file %s: %v", fileName, err)
 			}
 
-			os.WriteFile(fileName, data, 0o644)
+			os.WriteFile(fileName, data, 0o600)
 			if err != nil {
 				return fmt.Errorf("writing %s: %v", fileName, err)
 			}
@@ -727,7 +727,7 @@ func createArtifact(artifactServer *testserver.ArtifactServer, fixture, path str
 		return "", err
 	}
 
-	if err := os.Chmod(f.Name(), 0644); err != nil {
+	if err := os.Chmod(f.Name(), 0o600); err != nil {
 		return "", err
 	}
 

diff --git a/internal/decryptor/decryptor.go b/internal/decryptor/decryptor.go
@@ -508,7 +508,7 @@ func (d *Decryptor) sopsDecryptFile(path string, inputFormat, outputFormat forma
 	if err != nil {
 		return err
 	}
-	err = os.WriteFile(path, out, 0o644)
+	err = os.WriteFile(path, out, 0o600)
 	if err != nil {
 		return fmt.Errorf("error writing sops decrypted %s data to %s file: %w",
 			sopsFormatToString[inputFormat], sopsFormatToString[outputFormat], err)

diff --git a/internal/decryptor/decryptor_test.go b/internal/decryptor/decryptor_test.go
@@ -906,7 +906,7 @@ func TestDecryptor_decryptKustomizationEnvSources(t *testing.T) {
 					g.Expect(err).ToNot(HaveOccurred())
 					g.Expect(data).ToNot(Equal(f.data))
 				}
-				g.Expect(os.WriteFile(fPath, data, 0o644)).To(Succeed())
+				g.Expect(os.WriteFile(fPath, data, 0o600)).To(Succeed())
 			}
 
 			visited := make(map[string]struct{}, 0)
@@ -1050,7 +1050,7 @@ func TestDecryptor_decryptSopsFile(t *testing.T) {
 					data = b
 				}
 				g.Expect(os.MkdirAll(filepath.Dir(fPath), 0o700)).To(Succeed())
-				g.Expect(os.WriteFile(fPath, data, 0o644)).To(Succeed())
+				g.Expect(os.WriteFile(fPath, data, 0o600)).To(Succeed())
 			}
 
 			path := filepath.Join(tmpDir, tt.path)
@@ -1164,7 +1164,7 @@ func TestDecryptor_secureLoadKustomizationFile(t *testing.T) {
 					continue
 				}
 				g.Expect(os.MkdirAll(filepath.Dir(fPath), 0o700)).To(Succeed())
-				g.Expect(os.WriteFile(fPath, f.data, 0o644)).To(Succeed())
+				g.Expect(os.WriteFile(fPath, f.data, 0o600)).To(Succeed())
 			}
 
 			root := filepath.Join(tmpDir, tt.rootSuffix)
@@ -1438,7 +1438,7 @@ func TestDecryptor_recurseKustomizationFiles(t *testing.T) {
 				b, err := yaml.Marshal(kus)
 				g.Expect(err).ToNot(HaveOccurred())
 				g.Expect(os.MkdirAll(filepath.Dir(path), 0o700)).To(Succeed())
-				g.Expect(os.WriteFile(path, b, 0o644))
+				g.Expect(os.WriteFile(path, b, 0o600))
 			}
 
 			visit := func(root, path string, kus *kustypes.Kustomization) error {