Set permisions of encrypted files in the dir format

orgrim · orgrim · commit 72660a844841 · 2025-05-01T10:38:43.000+02:00
diff --git a/config_test.go b/config_test.go
@@ -515,6 +515,7 @@ func TestParseCli(t *testing.T) {
 				[]string{"--delete-uploaded", "yes"},
 				options{
 					Directory:               "/var/backups/postgresql",
+					Mode:                    0o600,
 					Format:                  'c',
 					DirJobs:                 1,
 					CompressLevel:           -1,
@@ -544,6 +545,7 @@ func TestParseCli(t *testing.T) {
 				[]string{"--delete-uploaded", "true"},
 				options{
 					Directory:               "/var/backups/postgresql",
+					Mode:                    0o600,
 					Format:                  'c',
 					DirJobs:                 1,
 					CompressLevel:           -1,
diff --git a/crypto.go b/crypto.go
@@ -169,6 +169,11 @@ func encryptFile(path string, mode int, params encryptParams, keep bool) ([]stri
 				}
 
 				encrypted = append(encrypted, dstFile)
+				if mode > 0 {
+					if err := os.Chmod(dstFile, os.FileMode(mode)); err != nil {
+						return fmt.Errorf("could not chmod to more secure permission for encrypted file: %w", err)
+					}
+				}
 
 				if !keep {
 					l.Verboseln("removing source file:", path)
diff --git a/main.go b/main.go
@@ -750,10 +750,20 @@ func (d *dump) dump(fc chan<- sumFileJob) error {
 			if (mode&0o400 > 0) || (mode&0o200 > 0) {
 				mode = mode | 0o100
 			}
+
+			if (mode&0o040 > 0) || (mode&0o020 > 0) {
+				mode = mode | 0o010
+			}
+
+			if (mode&0o004 > 0) || (mode&0o002 > 0) {
+				mode = mode | 0o001
+			}
 		}
+
 		if err := os.Chmod(file, mode); err != nil {
 			return fmt.Errorf("could not chmod to more secure permission for %s: %w", dbname, err)
 		}
+
 		if isDirFormat {
 			// adapt mode on files on directory based on initial configured mode
 			if err := recursiveChmod(file, os.FileMode(d.Mode)); err != nil {
diff --git a/pg_back.conf b/pg_back.conf
@@ -14,7 +14,7 @@ backup_directory = /var/backups/postgresql
 # disable modifying permission and let the system handle that (example when
 # umask is defined). When the format is set to directory, pg_back ensures
 # the top-level directory is traversable by adding execute (+x) permission
-# if read (r) or write (w) permission is set. This does not affect the
+# if read (r) or write (w) permission is set and it set the configured
 # permissions of files inside the directory.
 backup_file_mode = 0600
 
