mirror of
https://github.com/borgbackup/borg.git
synced 2024-12-26 09:47:58 +00:00
(docs) Recommend umask for passphrase file perms
The previous sample for creating a ~/.borg-passphrase file creates it first and then chmod's it to 400 permissions. That's probably fine in practice, but means there's a tiny window where the passphrase file is sitting with default permissions (likely world readable, depending on the system umask). It seems safer to first change the umask to remove all group & world bits (0077) _before_ creating the file. To be polite and avoid messing with the user's previous umask, we do this in a subshell. (Note that umask 0077 leads to a mode of 600 rather than the previous 400, because removing the owner write bit doesn't seem to buy much since the owner can just chmod the file anyway.)
This commit is contained in:
parent
22fc6d1bdd
commit
da07c36d6b
1 changed files with 1 additions and 2 deletions
|
@ -569,8 +569,7 @@ Using ``BORG_PASSCOMMAND`` with a properly permissioned file
|
||||||
directory and use permissions to keep anyone else from reading it. For
|
directory and use permissions to keep anyone else from reading it. For
|
||||||
example, first create a key::
|
example, first create a key::
|
||||||
|
|
||||||
head -c 32 /dev/urandom | base64 -w 0 > ~/.borg-passphrase
|
(umask 0077; head -c 32 /dev/urandom | base64 -w 0 > ~/.borg-passphrase)
|
||||||
chmod 400 ~/.borg-passphrase
|
|
||||||
|
|
||||||
Then in an automated script one can put::
|
Then in an automated script one can put::
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue