From 84cbff16d48c10310af8a4ad13d9bb31220ada41 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Fri, 8 Dec 2023 10:51:15 +0100
Subject: [PATCH] restrict file permissions from "machines add" (#2648)

---
 cmd/crowdsec-cli/capi.go          | 2 +-
 cmd/crowdsec-cli/config_backup.go | 2 +-
 cmd/crowdsec-cli/console.go       | 4 ++--
 cmd/crowdsec-cli/machines.go      | 2 +-
 cmd/crowdsec-cli/simulation.go    | 4 ++--
 cmd/crowdsec-cli/support.go       | 2 +-
 6 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/cmd/crowdsec-cli/capi.go b/cmd/crowdsec-cli/capi.go
index e316abbc6..e748baa4f 100644
--- a/cmd/crowdsec-cli/capi.go
+++ b/cmd/crowdsec-cli/capi.go
@@ -106,7 +106,7 @@ func NewCapiRegisterCmd() *cobra.Command {
 				return fmt.Errorf("unable to marshal api credentials: %w", err)
 			}
 			if dumpFile != "" {
-				err = os.WriteFile(dumpFile, apiConfigDump, 0600)
+				err = os.WriteFile(dumpFile, apiConfigDump, 0o600)
 				if err != nil {
 					return fmt.Errorf("write api credentials in '%s' failed: %w", dumpFile, err)
 				}
diff --git a/cmd/crowdsec-cli/config_backup.go b/cmd/crowdsec-cli/config_backup.go
index c4d09e687..987b19fed 100644
--- a/cmd/crowdsec-cli/config_backup.go
+++ b/cmd/crowdsec-cli/config_backup.go
@@ -72,7 +72,7 @@ func backupHub(dirPath string) error {
 		if err != nil {
 			return fmt.Errorf("failed marshaling upstream parsers : %s", err)
 		}
-		err = os.WriteFile(upstreamParsersFname, upstreamParsersContent, 0644)
+		err = os.WriteFile(upstreamParsersFname, upstreamParsersContent, 0o644)
 		if err != nil {
 			return fmt.Errorf("unable to write to %s %s : %s", itemType, upstreamParsersFname, err)
 		}
diff --git a/cmd/crowdsec-cli/console.go b/cmd/crowdsec-cli/console.go
index 1caf11752..f119c6bc1 100644
--- a/cmd/crowdsec-cli/console.go
+++ b/cmd/crowdsec-cli/console.go
@@ -241,7 +241,7 @@ func dumpConsoleConfig(c *csconfig.LocalApiServerCfg) error {
 		log.Debugf("Empty console_path, defaulting to %s", c.ConsoleConfigPath)
 	}
 
-	if err := os.WriteFile(c.ConsoleConfigPath, out, 0600); err != nil {
+	if err := os.WriteFile(c.ConsoleConfigPath, out, 0o600); err != nil {
 		return fmt.Errorf("while dumping console config to %s: %w", c.ConsoleConfigPath, err)
 	}
 
@@ -282,7 +282,7 @@ func SetConsoleOpts(args []string, wanted bool) error {
 						return fmt.Errorf("cannot marshal credentials: %s", err)
 					}
 					log.Infof("Updating credentials file: %s", csConfig.API.Server.OnlineClient.CredentialsFilePath)
-					err = os.WriteFile(csConfig.API.Server.OnlineClient.CredentialsFilePath, fileContent, 0600)
+					err = os.WriteFile(csConfig.API.Server.OnlineClient.CredentialsFilePath, fileContent, 0o600)
 					if err != nil {
 						return fmt.Errorf("cannot write credentials file: %s", err)
 					}
diff --git a/cmd/crowdsec-cli/machines.go b/cmd/crowdsec-cli/machines.go
index cfdc2139e..45e9a8127 100644
--- a/cmd/crowdsec-cli/machines.go
+++ b/cmd/crowdsec-cli/machines.go
@@ -332,7 +332,7 @@ func (cli cliMachines) add(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("unable to marshal api credentials: %s", err)
 	}
 	if dumpFile != "" && dumpFile != "-" {
-		err = os.WriteFile(dumpFile, apiConfigDump, 0644)
+		err = os.WriteFile(dumpFile, apiConfigDump, 0o600)
 		if err != nil {
 			return fmt.Errorf("write api credentials in '%s' failed: %s", dumpFile, err)
 		}
diff --git a/cmd/crowdsec-cli/simulation.go b/cmd/crowdsec-cli/simulation.go
index 27aea5831..c4db03ca3 100644
--- a/cmd/crowdsec-cli/simulation.go
+++ b/cmd/crowdsec-cli/simulation.go
@@ -48,7 +48,7 @@ func dumpSimulationFile() error {
 	if err != nil {
 		return fmt.Errorf("unable to marshal simulation configuration: %s", err)
 	}
-	err = os.WriteFile(csConfig.ConfigPaths.SimulationFilePath, newConfigSim, 0644)
+	err = os.WriteFile(csConfig.ConfigPaths.SimulationFilePath, newConfigSim, 0o644)
 	if err != nil {
 		return fmt.Errorf("write simulation config in '%s' failed: %s", csConfig.ConfigPaths.SimulationFilePath, err)
 	}
@@ -66,7 +66,7 @@ func disableGlobalSimulation() error {
 	if err != nil {
 		return fmt.Errorf("unable to marshal new simulation configuration: %s", err)
 	}
-	err = os.WriteFile(csConfig.ConfigPaths.SimulationFilePath, newConfigSim, 0644)
+	err = os.WriteFile(csConfig.ConfigPaths.SimulationFilePath, newConfigSim, 0o644)
 	if err != nil {
 		return fmt.Errorf("unable to write new simulation config in '%s' : %s", csConfig.ConfigPaths.SimulationFilePath, err)
 	}
diff --git a/cmd/crowdsec-cli/support.go b/cmd/crowdsec-cli/support.go
index dd705833f..15c8b071a 100644
--- a/cmd/crowdsec-cli/support.go
+++ b/cmd/crowdsec-cli/support.go
@@ -423,7 +423,7 @@ cscli support dump -f /tmp/crowdsec-support.zip
 				log.Fatalf("could not finalize zip file: %s", err)
 			}
 
-			err = os.WriteFile(outFile, w.Bytes(), 0600)
+			err = os.WriteFile(outFile, w.Bytes(), 0o600)
 			if err != nil {
 				log.Fatalf("could not write zip file to %s: %s", outFile, err)
 			}