From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 7C24D1FF183
	for <inbox@lore.proxmox.com>; Wed, 30 Jul 2025 09:23:50 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id A830D34A08;
	Wed, 30 Jul 2025 09:25:14 +0200 (CEST)
From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>
In-Reply-To: <b5073f61-6163-4c0e-b9e4-24ec097f460c@proxmox.com> (Thomas
 Lamprecht's message of "Tue, 29 Jul 2025 18:10:40 +0200")
References: <20250613131125.354560-1-m.sandoval@proxmox.com>
 <DBJGCAE47P9V.A3OVL24G5EDG@proxmox.com>
 <b5073f61-6163-4c0e-b9e4-24ec097f460c@proxmox.com>
User-Agent: mu4e 1.12.9; emacs 30.1
Date: Wed, 30 Jul 2025 09:25:11 +0200
Message-ID: <s8owm7q16p4.fsf@proxmox.com>
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1753860300855
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.098 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com]
Subject: [pve-devel] superseded: [PATCH storage v2] fix #5181: pbs: store
 and read passwords as unicode
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

Thomas Lamprecht <t.lamprecht@proxmox.com> writes:

> Am 23.07.25 um 15:00 schrieb Shannon Sterz:
>> -->8 snip 8<--
>>> -    PVE::Tools::file_set_contents($pwfile, "$password\n");
>>> +    PVE::Tools::file_set_contents($pwfile, "$password\n", undef, 1);
>> i know this is pre-existing, but i'd feel more comfortable forcing the
>> permissions here rather than depending on the default behaviour. this is
>> a password file after all, being explicit doesn't hurt in my opinion.
>
> FWIW, as this file resides in /etc/pve/priv the permissions are enforced
> to 0600 by pmxcfs already, and the 0644 default from file_set_contents
> would have been problematic in any case already.
>
> Passing 0600 explicitly here might still not hurt though, and potentially
> even help, e.g. if one copies this over for some other secret that is e.g.
> node local and thinks this is secure as is, not very likely, but the cost
> of doing this is way to to small compared with potential impact.

v3 send at https://lore.proxmox.com/pve-devel/20250730072239.24928-1-m.sandoval@proxmox.com.

-- 
Maximiliano


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel