lnd: fix mnemonic file access vulnerability

Previously, the file was readable by 'other' for a short time after creation.
2020-08-30 22:45:34 +02:00 · 2020-08-30 22:45:34 +02:00 · 6f032e3c40
commit 6f032e3c40
parent b97584f5cb
1 changed files with 1 additions and 2 deletions
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -174,13 +174,12 @@ in {
            mnemonic=${secretsDir}/lnd-seed-mnemonic
            if [[ ! -f $mnemonic ]]; then
              echo Create lnd seed
-
+              umask u=r,go=
              ${pkgs.curl}/bin/curl -s \
                --cacert ${secretsDir}/lnd-cert \
                -X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
            fi
            chown lnd: "$mnemonic"
-            chmod 400 "$mnemonic"
          ''}"
          "${let
            mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet";