Use umask for race-free permission setting

Without using umask there's a small time window where paths are world readable. That is a bad idea to do for secret files (e.g. the dovecot code path).
2023-06-28 10:22:07 +02:00 · 2023-06-28 10:22:07 +02:00 · a3b03d1b5a
commit a3b03d1b5a
parent 69a4b7ad67
3 changed files with 8 additions and 3 deletions
--- a/mail-server/users.nix
+++ b/mail-server/users.nix
@ -34,6 +34,9 @@ let

    set -euo pipefail

+    # Prevent world-readable paths, even temporarily.
+    umask 007
+
    # Create directory to store user sieve scripts if it doesn't exist
    if (! test -d "${sieveDirectory}"); then
      mkdir "${sieveDirectory}"