From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 7A1AC1FF16B for ; Tue, 29 Jul 2025 18:09:20 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 80DEE18064; Tue, 29 Jul 2025 18:10:43 +0200 (CEST) Message-ID: Date: Tue, 29 Jul 2025 18:10:40 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox VE development discussion , Shannon Sterz References: <20250613131125.354560-1-m.sandoval@proxmox.com> Content-Language: en-US From: Thomas Lamprecht In-Reply-To: X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753805430575 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.031 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH storage v2] fix #5181: pbs: store and read passwords as unicode X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 23.07.25 um 15:00 schrieb Shannon Sterz: > -->8 snip 8<-- >> - PVE::Tools::file_set_contents($pwfile, "$password\n"); >> + PVE::Tools::file_set_contents($pwfile, "$password\n", undef, 1); > i know this is pre-existing, but i'd feel more comfortable forcing the > permissions here rather than depending on the default behaviour. this is > a password file after all, being explicit doesn't hurt in my opinion. FWIW, as this file resides in /etc/pve/priv the permissions are enforced to 0600 by pmxcfs already, and the 0644 default from file_set_contents would have been problematic in any case already. Passing 0600 explicitly here might still not hurt though, and potentially even help, e.g. if one copies this over for some other secret that is e.g. node local and thinks this is secure as is, not very likely, but the cost of doing this is way to to small compared with potential impact. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel