From 40908a6ff603caf70a0f8653a3f6fda13e05cd37 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 20 Sep 2015 15:03:51 -0400 Subject: make sure aiccu.conf is only readable by root, even if it had a different mode to start with --- src/Propellor/Property/Aiccu.hs | 2 +- src/Propellor/Property/File.hs | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/Propellor/Property/Aiccu.hs b/src/Propellor/Property/Aiccu.hs index 16d48832..519b8ce9 100644 --- a/src/Propellor/Property/Aiccu.hs +++ b/src/Propellor/Property/Aiccu.hs @@ -46,5 +46,5 @@ hasConfig t u = prop `onChange` reloaded property "aiccu configured" . writeConfig writeConfig :: (((PrivDataField, PrivData) -> Propellor Result) -> Propellor Result) -> Propellor Result writeConfig getpassword = getpassword $ ensureProperty . go - go (Password _, p) = confPath `File.hasContent` config u t p + go (Password _, p) = confPath `File.hasContentProtected` config u t p go (f, _) = error $ "Unexpected type of privdata: " ++ show f diff --git a/src/Propellor/Property/File.hs b/src/Propellor/Property/File.hs index 4563fe79..a1d3037f 100644 --- a/src/Propellor/Property/File.hs +++ b/src/Propellor/Property/File.hs @@ -10,7 +10,15 @@ type Line = String -- | Replaces all the content of a file. hasContent :: FilePath -> [Line] -> Property NoInfo -f `hasContent` newcontent = fileProperty ("replace " ++ f) +f `hasContent` newcontent = fileProperty + ("replace " ++ f) + (\_oldcontent -> newcontent) f + +-- | Replaces all the content of a file, ensuring that its modes do not +-- allow it to be read or written by anyone other than the current user +hasContentProtected :: FilePath -> [Line] -> Property NoInfo +f `hasContentProtected` newcontent = fileProperty' writeFileProtected + ("replace " ++ f) (\_oldcontent -> newcontent) f -- | Ensures a file has contents that comes from PrivData. -- cgit v1.2.3