From 7af1d29fc020e57f3587aace728fbb40e35669cf Mon Sep 17 00:00:00 2001
From: "sorah (Shota Fukumori)" <her@sorah.jp>
Date: Tue, 15 Mar 2016 02:16:47 +0900
Subject: [PATCH] Make tempfile unreadable to secure

Doing it twice. Why? Because but infraspec send_file doesn't have an interface
to set mode nor owner. Also it doesn't guarantee to keep file mode when
overwriting existing file.
---
 lib/itamae/resource/file.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/itamae/resource/file.rb b/lib/itamae/resource/file.rb
index f56ed3ff..dbd36ae3 100644
--- a/lib/itamae/resource/file.rb
+++ b/lib/itamae/resource/file.rb
@@ -171,7 +171,11 @@ def send_tempfile
                 end
 
           @temppath = ::File.join(runner.tmpdir, Time.now.to_f.to_s)
+
+          run_command(["touch", @temppath])
+          run_specinfra(:change_file_mode, @temppath, '0600')
           backend.send_file(src, @temppath)
+          run_specinfra(:change_file_mode, @temppath, '0600')
         ensure
           f.unlink if f
         end