From d1b7ac16cfa79744ad325bf8729bfbacc3c75d9b Mon Sep 17 00:00:00 2001
From: Marco Mariani <marco@crowdsec.net>
Date: Wed, 15 Nov 2023 12:48:07 +0100
Subject: [PATCH] local api permissions

---
 cmd/crowdsec-cli/lapi.go     | 2 +-
 cmd/crowdsec-cli/machines.go | 2 +-
 test/bats/30_machines.bats   | 4 +++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/cmd/crowdsec-cli/lapi.go b/cmd/crowdsec-cli/lapi.go
index 37ee0088c..38de35524 100644
--- a/cmd/crowdsec-cli/lapi.go
+++ b/cmd/crowdsec-cli/lapi.go
@@ -149,7 +149,7 @@ func runLapiRegister(cmd *cobra.Command, args []string) error {
 		log.Fatalf("unable to marshal api credentials: %s", err)
 	}
 	if dumpFile != "" {
-		err = os.WriteFile(dumpFile, apiConfigDump, 0644)
+		err = os.WriteFile(dumpFile, apiConfigDump, 0o600)
 		if err != nil {
 			log.Fatalf("write api credentials in '%s' failed: %s", dumpFile, err)
 		}
diff --git a/cmd/crowdsec-cli/machines.go b/cmd/crowdsec-cli/machines.go
index 82e6d53c9..012cb5941 100644
--- a/cmd/crowdsec-cli/machines.go
+++ b/cmd/crowdsec-cli/machines.go
@@ -290,7 +290,7 @@ func runMachinesAdd(cmd *cobra.Command, args []string) error {
 	if dumpFile == "" {
 		fmt.Printf("%s\n", string(apiConfigDump))
 	} else {
-		err = os.WriteFile(dumpFile, apiConfigDump, 0644)
+		err = os.WriteFile(dumpFile, apiConfigDump, 0o600)
 		if err != nil {
 			return fmt.Errorf("writing api credentials to '%s': %s", dumpFile, err)
 		}
diff --git a/test/bats/30_machines.bats b/test/bats/30_machines.bats
index 12c2dd505..e9679049b 100644
--- a/test/bats/30_machines.bats
+++ b/test/bats/30_machines.bats
@@ -13,6 +13,7 @@ teardown_file() {
 
 setup() {
     load "../lib/setup.sh"
+    load "../lib/bats-file/load.bash"
     ./instance-data load
     ./instance-crowdsec start
 }
@@ -46,11 +47,12 @@ teardown() {
     rune -0 yq -o json . <(output)
     assert_json '{login: "testmachine2", password: "testpassword", url: "http://127.0.0.1:8080"}'
 
-    tempfile="${BATS_TEST_DIRNAME}/testmachine.yml"
+    tempfile="${BATS_TEST_TMPDIR}/testmachine.yml"
     rune -0 cscli machines add testmachine3 --password testpassword -f "${tempfile}"
     assert_stderr --partial "API credentials dumped to '${tempfile}'"
     rune -0 yq -o json . < "$tempfile"
     assert_json '{login: "testmachine3", password: "testpassword", url: "http://127.0.0.1:8080"}'
+    assert_file_permission 600 "$tempfile"
 }
 
 @test "add a new machine and delete it" {