From 5c82bf6ebaf3c75902d676060c55c5cd110e95c2 Mon Sep 17 00:00:00 2001
From: Raymond Hill <rhill@raymondhill.net>
Date: Tue, 1 May 2018 08:25:20 -0400
Subject: [PATCH] restrict read/write of cached auth secrets to user

---
 dist/chromium/publish-beta.py       | 3 +++
 dist/firefox/publish-signed-beta.py | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/dist/chromium/publish-beta.py b/dist/chromium/publish-beta.py
index 3f90c524c..5a284ba7a 100755
--- a/dist/chromium/publish-beta.py
+++ b/dist/chromium/publish-beta.py
@@ -64,8 +64,11 @@ def input_secret(prompt, token):
         value = ubo_secrets[token]
     elif token not in ubo_secrets or value != ubo_secrets[token]:
         ubo_secrets[token] = value
+        exists = os.path.isfile(ubo_secrets_filename)
         with open(ubo_secrets_filename, 'w') as f:
             json.dump(ubo_secrets, f, indent=2)
+        if not exists:
+            os.chmod(ubo_secrets_filename, 0o600)
     return value
 
 
diff --git a/dist/firefox/publish-signed-beta.py b/dist/firefox/publish-signed-beta.py
index 301652fe9..65deae30c 100755
--- a/dist/firefox/publish-signed-beta.py
+++ b/dist/firefox/publish-signed-beta.py
@@ -82,8 +82,11 @@ def input_secret(prompt, token):
         value = ubo_secrets[token]
     elif token not in ubo_secrets or value != ubo_secrets[token]:
         ubo_secrets[token] = value
+        exists = os.path.isfile(ubo_secrets_filename)
         with open(ubo_secrets_filename, 'w') as f:
             json.dump(ubo_secrets, f, indent=2)
+        if not exists:
+            os.chmod(ubo_secrets_filename, 0o600)
     return value
 
 # GitHub API token