From f533b5d5cf5178adf7f8f968cd7ded45c00ad9e6 Mon Sep 17 00:00:00 2001
From: Steven <61625851+justusbunsi@users.noreply.github.com>
Date: Sun, 27 Jun 2021 12:07:36 +0200
Subject: [PATCH] Make app.ini more restrictive on new installations (#16266)

Signed-off-by: Steven Kriegler <61625851+justusbunsi@users.noreply.github.com>
---
 modules/setting/setting.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index ca18f8f5ba..de167e288a 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -1159,6 +1159,19 @@ func CreateOrAppendToCustomConf(callback func(cfg *ini.File)) {
 	if err := cfg.SaveTo(CustomConf); err != nil {
 		log.Fatal("error saving to custom config: %v", err)
 	}
+
+	// Change permissions to be more restrictive
+	fi, err := os.Stat(CustomConf)
+	if err != nil {
+		log.Error("Failed to determine current conf file permissions: %v", err)
+		return
+	}
+
+	if fi.Mode().Perm() > 0o600 {
+		if err = os.Chmod(CustomConf, 0o600); err != nil {
+			log.Warn("Failed changing conf file permissions to -rw-------. Consider changing them manually.")
+		}
+	}
 }
 
 // NewServices initializes the services