Explicitly set file permissions for admin-cluster-{bucket,iam}-export… (minio#5194)

angry-garden-salad · web-flow · commit 2c1e0587679e · 2025-05-02T09:34:41.000-07:00
Explicitly set file permissions for admin-cluster-{bucket,iam}-export.go to 600 regardless of umask
diff --git a/cmd/admin-cluster-bucket-export.go b/cmd/admin-cluster-bucket-export.go
@@ -119,6 +119,11 @@ func mainClusterBucketExport(ctx *cli.Context) error {
 	}
 	fatalIf(probe.NewError(moveFile(tmpFile.Name(), downloadPath)), "Unable to rename downloaded data, file exists at %s", tmpFile.Name())
 
+	// Explicitly set permissions to 0o600 and override umask
+	// to ensure that the file is not world-readable.
+	e = os.Chmod(downloadPath, 0o600)
+	fatalIf(probe.NewError(e), "Unable to set file permissions for "+downloadPath)
+
 	if !globalJSON {
 		console.Infof("Bucket metadata successfully downloaded as %s\n", downloadPath)
 		return nil
diff --git a/cmd/admin-cluster-iam-export.go b/cmd/admin-cluster-iam-export.go
@@ -125,6 +125,11 @@ func mainClusterIAMExport(ctx *cli.Context) error {
 
 	fatalIf(probe.NewError(moveFile(tmpFile.Name(), downloadPath)), "Unable to rename downloaded data, file exists at %s", tmpFile.Name())
 
+	// Explicitly set permissions to 0o600 and override umask
+	// to ensure that the file is not world-readable.
+	e = os.Chmod(downloadPath, 0o600)
+	fatalIf(probe.NewError(e), "Unable to set file permissions for "+downloadPath)
+
 	if !globalJSON {
 		console.Infof("IAM info successfully downloaded as %s\n", downloadPath)
 		return nil
