Change file permissions on local compose output

Since this file could potentialy include decrypted secrets, we don't want this to be readable by other users. TODO: allow file permissions to be configurable?
aws · Jun 13, 2019 · 4825679 · 4825679
1 parent 3a73a58
commit 4825679
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/ecs-cli/modules/cli/local/project/project.go b/ecs-cli/modules/cli/local/project/project.go
@@ -34,7 +34,7 @@ import (
 
 const (
 	LocalOutDefaultFileName = "./docker-compose.local.yml"
-	LocalOutFileMode        = os.FileMode(0644) // Owner=read/write, Other=readonly
+	LocalOutFileMode        = os.FileMode(0600) // Owner=read/write, Other=none
 	LocalInFileName         = "./task-definition.json"
 )
 
@@ -148,6 +148,8 @@ func (p *localProject) readTaskDefinitionFromArn(arn string) (*ecs.TaskDefinitio
 // stores the data on the project
 func (p *localProject) Convert() error {
 	// FIXME get secrets here, pass to converter?
+	// NOTE: Should add log message to warn user that decrypted secret
+	// will be written to local compose file
 	data, err := converter.ConvertToDockerCompose(p.taskDefinition)
 
 	if err != nil {