Merge #79

79: fix small security race r=Mic92 a=zimbatm



Co-authored-by: zimbatm <zimbatm@zimbatm.com>

Author: bors[bot]

terraform/nixos-rebuild/deploy.sh

@@ -21,9 +21,11 @@ sshOpts+=(-o StrictHostKeyChecking=no)
 
 if [[ -n ${SSH_KEY+x} && ${SSH_KEY} != "-" ]]; then
   sshPrivateKeyFile="$workDir/ssh_key"
-  trap 'rm "$sshPrivateKeyFile"' EXIT
-  echo "$SSH_KEY" >"$sshPrivateKeyFile"
-  chmod 0700 "$sshPrivateKeyFile"
+  # Create the file with 0700 - umask calculation: 777 - 700 = 077
+  (
+    umask 077
+    echo "$SSH_KEY" >"$sshPrivateKeyFile"
+  )
   unset SSH_AUTH_SOCK # don't use system agent if key was supplied
   sshOpts+=(-o "IdentityFile=${sshPrivateKeyFile}")
 fi