From 215adf841e68648f3eeaa6d1638bc2d9aa890214 Mon Sep 17 00:00:00 2001 From: Felix Schizlein Date: Thu, 4 Jan 2024 11:36:39 +0100 Subject: [PATCH] Set secret key file mode during fresh installation --- lib/tasks/encrypted_key.rake | 4 ++++ package/files/update_rmt_app_dir_permissions.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/tasks/encrypted_key.rake b/lib/tasks/encrypted_key.rake index ffc6843cf..ed27c3adf 100644 --- a/lib/tasks/encrypted_key.rake +++ b/lib/tasks/encrypted_key.rake @@ -6,6 +6,8 @@ namespace :rmt do Rails::Generators::EncryptionKeyFileGenerator .new.add_key_file('config/secrets.yml.key') + + FileUtils.chmod(0o640, 'config/secrets.yml.key') end desc 'Create the `secret_key_base` for Rails' @@ -13,6 +15,8 @@ namespace :rmt do Rails::Secrets.write( { 'production' => { 'secret_key_base' => SecureRandom.hex(64) } }.to_yaml ) + + FileUtils.chmod(0o640, 'config/secrets.yml.enc') end end end diff --git a/package/files/update_rmt_app_dir_permissions.sh b/package/files/update_rmt_app_dir_permissions.sh index ec2d1b780..16e8f9951 100644 --- a/package/files/update_rmt_app_dir_permissions.sh +++ b/package/files/update_rmt_app_dir_permissions.sh @@ -20,7 +20,7 @@ fi # Change secrets encrypted and key files to nginx readable secret_key_files=('config/secrets.yml.key' 'config/secrets.yml.enc') -for secretFile in $secret_key_files; do +for secretFile in ${secret_key_files[@]}; do file_path="$app_dir/$secretFile" if [[ -e $file_path ]]; then if [[ "$(stat -c "%U %G" $file_path)" == "root root" ]]; then