[pve-devel] superseded: [PATCH storage v2] fix #5181: pbs: store and read passwords as unicode
Maximiliano Sandoval
m.sandoval at proxmox.com
Wed Jul 30 09:25:11 CEST 2025
Thomas Lamprecht <t.lamprecht at proxmox.com> writes:
> Am 23.07.25 um 15:00 schrieb Shannon Sterz:
>> -->8 snip 8<--
>>> - PVE::Tools::file_set_contents($pwfile, "$password\n");
>>> + PVE::Tools::file_set_contents($pwfile, "$password\n", undef, 1);
>> i know this is pre-existing, but i'd feel more comfortable forcing the
>> permissions here rather than depending on the default behaviour. this is
>> a password file after all, being explicit doesn't hurt in my opinion.
>
> FWIW, as this file resides in /etc/pve/priv the permissions are enforced
> to 0600 by pmxcfs already, and the 0644 default from file_set_contents
> would have been problematic in any case already.
>
> Passing 0600 explicitly here might still not hurt though, and potentially
> even help, e.g. if one copies this over for some other secret that is e.g.
> node local and thinks this is secure as is, not very likely, but the cost
> of doing this is way to to small compared with potential impact.
v3 send at https://lore.proxmox.com/pve-devel/20250730072239.24928-1-m.sandoval@proxmox.com.
--
Maximiliano
More information about the pve-devel
mailing list