From 5baf3c7fc1df6ea343c4ca92e5ea2cc28d00d4ca Mon Sep 17 00:00:00 2001
From: Tommi Virtanen <tv@eagain.net>
Date: Thu, 5 Mar 2015 14:45:19 -0800
Subject: [PATCH] Config file is not executable, and must not be world
 accessible

It contains the private key.
---
 repo/fsrepo/serialize/serialize.go      | 2 +-
 repo/fsrepo/serialize/serialize_test.go | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/repo/fsrepo/serialize/serialize.go b/repo/fsrepo/serialize/serialize.go
index 864eb4fc1..af8686087 100644
--- a/repo/fsrepo/serialize/serialize.go
+++ b/repo/fsrepo/serialize/serialize.go
@@ -35,7 +35,7 @@ func WriteConfigFile(filename string, cfg interface{}) error {
 		return err
 	}
 
-	f, err := atomicfile.New(filename, 0775)
+	f, err := atomicfile.New(filename, 0660)
 	if err != nil {
 		return err
 	}
diff --git a/repo/fsrepo/serialize/serialize_test.go b/repo/fsrepo/serialize/serialize_test.go
index 5de9674af..9a2ae0cb8 100644
--- a/repo/fsrepo/serialize/serialize_test.go
+++ b/repo/fsrepo/serialize/serialize_test.go
@@ -1,6 +1,7 @@
 package fsrepo
 
 import (
+	"os"
 	"testing"
 
 	config "github.com/jbenet/go-ipfs/repo/config"
@@ -23,4 +24,11 @@ func TestConfig(t *testing.T) {
 	if cfgWritten.Datastore.Path != cfgRead.Datastore.Path {
 		t.Fail()
 	}
+	st, err := os.Stat(filename)
+	if err != nil {
+		t.Fatalf("cannot stat config file: %v", err)
+	}
+	if g := st.Mode().Perm(); g&0117 != 0 {
+		t.Errorf("config file should not be executable or accessible to world: %v", g)
+	}
 }