From fd084c15c3918ce279708db44e31f2730558e648 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Thu, 23 Dec 2021 16:34:54 -0500
Subject: [PATCH] cli: use file mode 0600 when saving a snapshot

So that other users on the machine can not access the snapshot data.
---
 command/snapshot/save/snapshot_save.go      | 7 ++++---
 command/snapshot/save/snapshot_save_test.go | 4 ++++
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/command/snapshot/save/snapshot_save.go b/command/snapshot/save/snapshot_save.go
index 699cf5f1d..e43dcb612 100644
--- a/command/snapshot/save/snapshot_save.go
+++ b/command/snapshot/save/snapshot_save.go
@@ -5,11 +5,12 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/mitchellh/cli"
+	"github.com/rboyer/safeio"
+
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/command/flags"
 	"github.com/hashicorp/consul/snapshot"
-	"github.com/mitchellh/cli"
-	"github.com/rboyer/safeio"
 )
 
 func New(ui cli.Ui) *cmd {
@@ -71,7 +72,7 @@ func (c *cmd) Run(args []string) int {
 
 	// Save the file first.
 	unverifiedFile := file + ".unverified"
-	if _, err := safeio.WriteToFile(snap, unverifiedFile, 0666); err != nil {
+	if _, err := safeio.WriteToFile(snap, unverifiedFile, 0600); err != nil {
 		c.UI.Error(fmt.Sprintf("Error writing unverified snapshot file: %s", err))
 		return 1
 	}
diff --git a/command/snapshot/save/snapshot_save_test.go b/command/snapshot/save/snapshot_save_test.go
index 79df0dfc6..10e8abcfe 100644
--- a/command/snapshot/save/snapshot_save_test.go
+++ b/command/snapshot/save/snapshot_save_test.go
@@ -94,6 +94,10 @@ func TestSnapshotSaveCommand(t *testing.T) {
 		t.Fatalf("bad: %d. %#v", code, ui.ErrorWriter.String())
 	}
 
+	fi, err := os.Stat(file)
+	require.NoError(t, err)
+	require.Equal(t, fi.Mode(), os.FileMode(0600))
+
 	f, err := os.Open(file)
 	if err != nil {
 		t.Fatalf("err: %v", err)