From 2b6667a677bf80be0f7dd14baa2516bfdd1f0b50 Mon Sep 17 00:00:00 2001
From: ebiggers <ebiggers@google.com>
Date: Sat, 27 Jul 2019 15:50:47 -0700
Subject: [PATCH] cmd/fscrypt: give newly encrypted directories mode 0700
 (#134)

Resolves https://github.com/google/fscrypt/issues/132
---
 cmd/fscrypt/commands.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
index 66450c7..54e67ac 100644
--- a/cmd/fscrypt/commands.go
+++ b/cmd/fscrypt/commands.go
@@ -104,6 +104,13 @@ func encryptAction(c *cli.Context) error {
 		return newExitError(c, err)
 	}
 
+	// Most people expect that other users can't see their encrypted files
+	// while they're unlocked, so change the directory's mode to 0700.
+	if err := os.Chmod(path, 0700); err != nil {
+		fmt.Fprintf(c.App.Writer, "Warning: unable to chmod %q to 0700 [%v]\n", path, err)
+		// Continue on; don't consider this a fatal error.
+	}
+
 	if !skipUnlockFlag.Value {
 		fmt.Fprintf(c.App.Writer,
 			"%q is now encrypted, unlocked, and ready for use.\n", path)
-- 
2.39.5