From f6ab7238cd2af3580c271bc674153353d8056d15 Mon Sep 17 00:00:00 2001 From: Oliver Baer <75138893+mrwind-up-bird@users.noreply.github.com> Date: Thu, 26 Feb 2026 15:18:55 +0100 Subject: [PATCH] fix(autofix): Secrets stored in world-readable temp state --- scripts/setup-vps.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/setup-vps.sh b/scripts/setup-vps.sh index 23b4310..e21f6ac 100755 --- a/scripts/setup-vps.sh +++ b/scripts/setup-vps.sh @@ -40,7 +40,8 @@ fi echo "==> Generating secrets and creating .env..." FERNET_KEY=$(docker run --rm python:3.11-slim python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())" 2>/dev/null || echo "GENERATE_ME") JWT_SECRET=$(openssl rand -hex 32) -PG_PASSWORD=$(openssl rand -base64 32 | tr -d '=+/') +# Create .env with secure permissions from the start +(umask 077 && cat > /opt/minirag/.env) < /opt/minirag/.env <