From 0d075f32cdbdb87c6a0bdb511aa4684a85f3caa9 Mon Sep 17 00:00:00 2001
From: Manuel Sabban <github@sabban.eu>
Date: Fri, 22 Oct 2021 10:14:15 +0200
Subject: [PATCH] fix perms in package installation (#1012)

* fix perms

Co-authored-by: sabban <15465465+sabban@users.noreply.github.com>
---
 debian/postinst         | 18 ++++++++++++++++--
 rpm/SPECS/crowdsec.spec | 11 +++++++++--
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/debian/postinst b/debian/postinst
index 26279bce7..4705b8df4 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -28,9 +28,23 @@ if [ "$1" = configure ]; then
         set -e
         COLLECTIONS=true
     fi
+
+    if [[ -f /etc/crowdsec/local_api_credentials.yaml ]] ; then
+        chmod 600 /etc/crowdsec/local_api_credentials.yaml
+    fi
+
+    if [[ -f /etc/crowdsec/online_api_credentials.yaml ]]; then
+        chmod 600 /etc/crowdsec/online_api_credentials.yaml
+    fi
+    
     if [[ ! -f /etc/crowdsec/local_api_credentials.yaml ]] || [[ ! -f /etc/crowdsec/online_api_credentials.yaml ]]; then
-        touch /etc/crowdsec/local_api_credentials.yaml
-        touch /etc/crowdsec/online_api_credentials.yaml
+        if [[ ! -f /etc/crowdsec/local_api_credentials.yaml ]] ; then
+            install -m 600 /dev/null  /etc/crowdsec/local_api_credentials.yaml
+        fi
+        if [[ ! -f /etc/crowdsec/online_api_credentials.yaml ]] ; then
+            install -m 600 /dev/null  /etc/crowdsec/online_api_credentials.yaml
+        fi
+
         db_input medium crowdsec/lapi || true
         db_go || true
         
diff --git a/rpm/SPECS/crowdsec.spec b/rpm/SPECS/crowdsec.spec
index 9576baf6f..11d3ff0e2 100644
--- a/rpm/SPECS/crowdsec.spec
+++ b/rpm/SPECS/crowdsec.spec
@@ -155,8 +155,8 @@ if [ $1 == 1 ]; then
         set +e
     fi
     if [ ! -f "%{_sysconfdir}/crowdsec/online_api_credentials.yaml" ] && [ ! -f "%{_sysconfdir}/crowdsec/local_api_credentials.yaml" ] ; then
-        touch %{_sysconfdir}/crowdsec/online_api_credentials.yaml
-        touch %{_sysconfdir}/crowdsec/local_api_credentials.yaml
+        install -m 600 /dev/null %{_sysconfdir}/crowdsec/online_api_credentials.yaml
+        install -m 600 /dev/null %{_sysconfdir}/crowdsec/local_api_credentials.yaml
         cscli capi register
         cscli machines add -a
     fi
@@ -180,6 +180,13 @@ elif [ $1 == 2 ] && [ -d /var/lib/crowdsec/backup ]; then
        rm -rf /var/lib/crowdsec/backup
     fi
 
+    if [[ -f %{_sysconfdir}/crowdsec/online_api_credentials.yaml ]] ; then
+        chmod 600 %{_sysconfdir}/crowdsec/online_api_credentials.yaml
+    fi
+    
+    if [[ -f %{_sysconfdir}/crowdsec/local_api_credentials.yaml ]] ; then
+        chmod 600 %{_sysconfdir}/crowdsec/local_api_credentials.yaml
+    fi
 fi
 
 %systemd_post %{name}.service