Ensure temporary file for editing is only read-writable by owner.

felixfontein · felixfontein · commit 5921efdd4565 · 2025-08-06T07:58:59.000+02:00
Signed-off-by: Felix Fontein &lt;felix@fontein.de&gt;
diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go
@@ -109,6 +109,10 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) {
 	}
 	// Ensure that in any case, the temporary file is always closed.
 	defer tmpfile.Close()
+	// Ensure that the file is read+write for owner only.
+	if err = tmpfile.Chmod(0600); err != nil {
+		return nil, common.NewExitError(fmt.Sprintf("Could not change permissions of temporary file to read-write for owner only: %s", err), codes.CouldNotWriteOutputFile)
+	}
 
 	tmpfileName := tmpfile.Name()
 

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,10 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) {`
`109`	`109`	`}`
`110`	`110`	`// Ensure that in any case, the temporary file is always closed.`
`111`	`111`	`defer tmpfile.Close()`
	`112`	`+ // Ensure that the file is read+write for owner only.`
	`113`	`+ if err = tmpfile.Chmod(0600); err != nil {`
	`114`	`+ return nil, common.NewExitError(fmt.Sprintf("Could not change permissions of temporary file to read-write for owner only: %s", err), codes.CouldNotWriteOutputFile)`
	`115`	`+ }`
`112`	`116`
`113`	`117`	`tmpfileName := tmpfile.Name()`
`114`	`118`