aboutsummaryrefslogtreecommitdiffstats
path: root/railties
diff options
context:
space:
mode:
authorAndrew White <pixeltrix@users.noreply.github.com>2018-04-19 14:09:21 +0100
committerGitHub <noreply@github.com>2018-04-19 14:09:21 +0100
commit1a32e058a3a9b5f2e7b2930e1177de2f23aa8555 (patch)
treeae216f1a7f832ae8a14f380f21b647d66c7717da /railties
parent9cfbcce8ad134b1b3153d4a4d08207bf1e3d0598 (diff)
parent4c6c3575c66ce10043c9ea04023788890a228de8 (diff)
downloadrails-1a32e058a3a9b5f2e7b2930e1177de2f23aa8555.tar.gz
rails-1a32e058a3a9b5f2e7b2930e1177de2f23aa8555.tar.bz2
rails-1a32e058a3a9b5f2e7b2930e1177de2f23aa8555.zip
Merge pull request #32627 from jlduran/make-master-key-readable-only-by-owner
Make the master.key readable only by the owner
Diffstat (limited to 'railties')
-rw-r--r--railties/CHANGELOG.md17
-rw-r--r--railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb1
-rw-r--r--railties/test/generators/app_generator_test.rb9
3 files changed, 27 insertions, 0 deletions
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 071a649956..a4d4a87a8b 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,20 @@
+* Make the master.key file read-only for the owner upon generation on
+ POSIX-compliant systems.
+
+ Previously:
+
+ $ ls -l config/master.key
+ -rw-r--r-- 1 owner group 32 Jan 1 00:00 master.key
+
+ Now:
+
+ $ ls -l config/master.key
+ -rw------- 1 owner group 32 Jan 1 00:00 master.key
+
+ Fixes #32604.
+
+ *Jose Luis Duran*
+
* Deprecate support for using the `HOST` environment to specify the server IP.
The `BINDING` environment should be used instead.
diff --git a/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb b/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
index 90068c678d..e2359e9ded 100644
--- a/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
+++ b/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
@@ -27,6 +27,7 @@ module Rails
def add_key_file_silently(key_path, key = nil)
create_file key_path, key || ActiveSupport::EncryptedFile.generate_key
+ key_path.chmod 0600
end
def ignore_key_file(key_path, ignore: key_ignore(key_path))
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index 294fdcd6a1..c3809a912b 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -941,6 +941,15 @@ class AppGeneratorTest < Rails::Generators::TestCase
assert_directory("test/system")
end
+ unless Gem.win_platform?
+ def test_master_key_is_only_readable_by_the_owner
+ run_generator
+
+ stat = File.stat("config/master.key")
+ assert_equal "100600", sprintf("%o", stat.mode)
+ end
+ end
+
private
def stub_rails_application(root)
Rails.application.config.root = root