aboutsummaryrefslogtreecommitdiffstats
path: root/railties
diff options
context:
space:
mode:
authorJose Luis Duran <jlduran@users.noreply.github.com>2018-04-18 18:29:27 -0300
committerJose Luis Duran <jlduran@users.noreply.github.com>2018-04-19 08:44:08 -0300
commit4c6c3575c66ce10043c9ea04023788890a228de8 (patch)
tree01640e7a1e40ce32b0aa60314f241ec7e0f85bdf /railties
parent185fce159721b331cc9a0ae17b662373ee0fc95f (diff)
downloadrails-4c6c3575c66ce10043c9ea04023788890a228de8.tar.gz
rails-4c6c3575c66ce10043c9ea04023788890a228de8.tar.bz2
rails-4c6c3575c66ce10043c9ea04023788890a228de8.zip
Make the master.key readable only by the owner
This change may only apply to POSIX-compliant systems. Previously: $ ls -l config/master.key -rw-r--r-- 1 owner group 32 Jan 1 00:00 master.key Now: $ ls -l config/master.key -rw------- 1 owner group 32 Jan 1 00:00 master.key
Diffstat (limited to 'railties')
-rw-r--r--railties/CHANGELOG.md17
-rw-r--r--railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb1
-rw-r--r--railties/test/generators/app_generator_test.rb9
3 files changed, 27 insertions, 0 deletions
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 071a649956..a4d4a87a8b 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,20 @@
+* Make the master.key file read-only for the owner upon generation on
+ POSIX-compliant systems.
+
+ Previously:
+
+ $ ls -l config/master.key
+ -rw-r--r-- 1 owner group 32 Jan 1 00:00 master.key
+
+ Now:
+
+ $ ls -l config/master.key
+ -rw------- 1 owner group 32 Jan 1 00:00 master.key
+
+ Fixes #32604.
+
+ *Jose Luis Duran*
+
* Deprecate support for using the `HOST` environment to specify the server IP.
The `BINDING` environment should be used instead.
diff --git a/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb b/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
index 90068c678d..e2359e9ded 100644
--- a/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
+++ b/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
@@ -27,6 +27,7 @@ module Rails
def add_key_file_silently(key_path, key = nil)
create_file key_path, key || ActiveSupport::EncryptedFile.generate_key
+ key_path.chmod 0600
end
def ignore_key_file(key_path, ignore: key_ignore(key_path))
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index 294fdcd6a1..c3809a912b 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -941,6 +941,15 @@ class AppGeneratorTest < Rails::Generators::TestCase
assert_directory("test/system")
end
+ unless Gem.win_platform?
+ def test_master_key_is_only_readable_by_the_owner
+ run_generator
+
+ stat = File.stat("config/master.key")
+ assert_equal "100600", sprintf("%o", stat.mode)
+ end
+ end
+
private
def stub_rails_application(root)
Rails.application.config.root = root