diff --git a/lib/puppet/provider/ssh_authorized_key/parsed.rb b/lib/puppet/provider/ssh_authorized_key/parsed.rb index b10066e..f18987b 100644 --- a/lib/puppet/provider/ssh_authorized_key/parsed.rb +++ b/lib/puppet/provider/ssh_authorized_key/parsed.rb @@ -38,7 +38,11 @@ def dir_perm 0o700 end - def file_perm + def file_perm_readonly + 0o444 + end + + def file_perm_writable 0o600 end @@ -84,7 +88,7 @@ def flush end super - File.chmod(file_perm, target) + File.chmod(file_perm_writable, target) end # to avoid race conditions when handling permissions as a privileged user # (CVE-2011-3870) we use the trusted_path method to ensure the entire @@ -97,7 +101,7 @@ def flush gid = Puppet::Util.gid(@resource.should(:user)) File.open(target) do |target| target.chown(uid, gid) - target.chmod(file_perm) + target.chmod(file_perm_readonly) end end end