From fc8535e4d88e81e41a6dc8228f25e9c0b32ef4b9 Mon Sep 17 00:00:00 2001
From: Vlastimil Holer <vholer@opennebula.systems>
Date: Mon, 5 Nov 2018 12:11:00 +0100
Subject: [PATCH] gh-122: Ensure files in /var/run/one-context/ have 0400
 permissions

Closes #122
---
 src/etc/one-context.d/loc-16-gen-env | 3 ++-
 src/usr/sbin/one-contextd            | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/etc/one-context.d/loc-16-gen-env b/src/etc/one-context.d/loc-16-gen-env
index 372a483..52ca43c 100755
--- a/src/etc/one-context.d/loc-16-gen-env
+++ b/src/etc/one-context.d/loc-16-gen-env
@@ -8,6 +8,7 @@ if [ -n "$ONEGATE_TOKEN" ]; then
     TOKENTXT="$ONEGATE_TOKEN"
 fi
 
+umask 0377
 echo "export TOKENTXT=\"$TOKENTXT\"" > $ENV_FILE
 echo "export VMID=\"$VMID\"" >> $ENV_FILE
 echo "export ONEGATE_ENDPOINT=\"$ONEGATE_ENDPOINT\"" >> $ENV_FILE
@@ -28,5 +29,5 @@ function export_rc_vars
 export_rc_vars ${CONTEXT_FILE}
 
 chown root:root $ENV_FILE
-chmod a+r $ENV_FILE
+chmod 0400 $ENV_FILE
 
diff --git a/src/usr/sbin/one-contextd b/src/usr/sbin/one-contextd
index 15e251d..0a0b545 100755
--- a/src/usr/sbin/one-contextd
+++ b/src/usr/sbin/one-contextd
@@ -181,6 +181,8 @@ function get_new_context {
         log err 'Error: No contextualization found' 2
         exit 1
     fi
+
+    chmod 0400 "${CONTEXT_NEW}"
 }
 
 function check_context {