[pve-devel] [PATCH v1 pve-common 09/18] pbsclient: create secret dir with `mkdir -p` and mode `700`

Max Carrara m.carrara at proxmox.com
Fri Aug 2 15:26:47 CEST 2024 

.. instead of using a regular `mkdir` call.

The `File::Path::make_path` subroutine is used for this purpose, which
recursively creates all directories if they didn't exist before. Upon
creation of those directories, the mode is also set to `700`.

This means that (like before), directory permissions are left
untouched if the directory existed already.

Signed-off-by: Max Carrara <m.carrara at proxmox.com>
---
 src/PVE/PBSClient.pm | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/PVE/PBSClient.pm b/src/PVE/PBSClient.pm
index e0468d3..2084bb5 100644
--- a/src/PVE/PBSClient.pm
+++ b/src/PVE/PBSClient.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 
 use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
+use File::Path;
 use File::Temp qw(tempdir);
 use IO::File;
 use JSON;
@@ -191,7 +192,8 @@ my sub password_file_name {
 
 Updates or creates the I<password> file, storing the given C<$password>.
 
-If the I<secret directory> does not exist, it is created beforehand.
+If the I<secret directory> does not exist, it is recursively created with the
+permissions C<700> beforehand.
 
 If the I<password> file does not exist, a new one with the permissions C<600>
 is created.
@@ -202,7 +204,9 @@ sub set_password {
     my ($self, $password) = @_;
 
     my $pwfile = password_file_name($self);
-    mkdir($self->{secret_dir});
+    File::Path::make_path($self->{secret_dir}, {
+	mode => 0700,
+    });
 
     PVE::Tools::file_set_contents($pwfile, "$password\n", 0600);
 };
@@ -274,7 +278,8 @@ sub encryption_key_file_name {
 
 Updates or creates the I<encryption key> file, storing the given C<$key>.
 
-If the I<secret directory> does not exist, it is created beforehand.
+If the I<secret directory> does not exist, it is recursively created with the
+permissions C<700> beforehand.
 
 If the I<encryption key> file does not exist, a new one with the permissions C<600>
 is created.
@@ -285,7 +290,9 @@ sub set_encryption_key {
     my ($self, $key) = @_;
 
     my $encfile = $self->encryption_key_file_name();
-    mkdir($self->{secret_dir});
+    File::Path::make_path($self->{secret_dir}, {
+	mode => 0700,
+    });
 
     PVE::Tools::file_set_contents($encfile, "$key\n", 0600);
 };
-- 
2.39.2

More information about the pve-devel mailing list