eyaml edit should create tempfiles with more restrictive permissions (for example 0600) instead of using current umask

[gburjan]

Seems like eyaml backend's write_tempfile function uses ruby Tempfile without specifying appropriate permissions, so decrypted temporary files which contain decrypted passwords are saved as world readable on a usual Linux machine. In the example below I only unset EDITOR variable in order to prevent deleting tempfile.

[root@puppetmaster ~]# uname -a
Linux puppetmaster.local 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@puppetmaster ~]# unset EDITOR
[root@puppetmaster ~]# unset TMPDIR
[root@puppetmaster ~]# eyaml edit /etc/puppet/hieradata/hosts/testhost.local.yaml
[hiera-eyaml-core] Loaded config from /etc/eyaml/config.yaml
[hiera-eyaml-core] Editor not found. Please set your EDITOR env variable
[root@puppetmaster ~]# ls -l /tmp/eyaml_edit20150324-6814-iwmpep-0.yaml
-rw-r--r--. 1 root root 3781 Mar 24 13:37 /tmp/eyaml_edit20150324-6814-iwmpep-0.yaml
[root@puppetmaster ~]#

[elyscape]

Good catch.

[elyscape]

@gburjan I have a fix almost ready. I just need to write some spec tests for it and then I'll be submitting a pull request.

[elyscape]

Testing has turned out to be more complicated than I anticipated. I should have something ready sometime in the next day or two.

[elyscape]

@gburjan Please test out 2.0.8 and verify if the issue has been resolved.