From 5a6736f676d1110cd69fefee9862108f21b4e7ac Mon Sep 17 00:00:00 2001
From: Nicolas Thauvin <nico@orgrim.net>
Date: Thu, 1 May 2025 10:32:23 +0200
Subject: [PATCH] Set permisions of encrypted files in the dir format

---
 config_test.go |  2 ++
 crypto.go      |  5 +++++
 main.go        | 10 ++++++++++
 pg_back.conf   |  2 +-
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/config_test.go b/config_test.go
index 0daec2e..bd717f7 100644
--- a/config_test.go
+++ b/config_test.go
@@ -515,6 +515,7 @@ func TestParseCli(t *testing.T) {
 				[]string{"--delete-uploaded", "yes"},
 				options{
 					Directory:               "/var/backups/postgresql",
+					Mode:                    0o600,
 					Format:                  'c',
 					DirJobs:                 1,
 					CompressLevel:           -1,
@@ -544,6 +545,7 @@ func TestParseCli(t *testing.T) {
 				[]string{"--delete-uploaded", "true"},
 				options{
 					Directory:               "/var/backups/postgresql",
+					Mode:                    0o600,
 					Format:                  'c',
 					DirJobs:                 1,
 					CompressLevel:           -1,
diff --git a/crypto.go b/crypto.go
index 541ae43..402ef3c 100644
--- a/crypto.go
+++ b/crypto.go
@@ -169,6 +169,11 @@ func encryptFile(path string, mode int, params encryptParams, keep bool) ([]stri
 				}
 
 				encrypted = append(encrypted, dstFile)
+				if mode > 0 {
+					if err := os.Chmod(dstFile, os.FileMode(mode)); err != nil {
+						return fmt.Errorf("could not chmod to more secure permission for encrypted file: %w", err)
+					}
+				}
 
 				if !keep {
 					l.Verboseln("removing source file:", path)
diff --git a/main.go b/main.go
index e30bee0..9a97da0 100644
--- a/main.go
+++ b/main.go
@@ -750,10 +750,20 @@ func (d *dump) dump(fc chan<- sumFileJob) error {
 			if (mode&0o400 > 0) || (mode&0o200 > 0) {
 				mode = mode | 0o100
 			}
+
+			if (mode&0o040 > 0) || (mode&0o020 > 0) {
+				mode = mode | 0o010
+			}
+
+			if (mode&0o004 > 0) || (mode&0o002 > 0) {
+				mode = mode | 0o001
+			}
 		}
+
 		if err := os.Chmod(file, mode); err != nil {
 			return fmt.Errorf("could not chmod to more secure permission for %s: %w", dbname, err)
 		}
+
 		if isDirFormat {
 			// adapt mode on files on directory based on initial configured mode
 			if err := recursiveChmod(file, os.FileMode(d.Mode)); err != nil {
diff --git a/pg_back.conf b/pg_back.conf
index 27b147c..908b54b 100644
--- a/pg_back.conf
+++ b/pg_back.conf
@@ -14,7 +14,7 @@ backup_directory = /var/backups/postgresql
 # disable modifying permission and let the system handle that (example when
 # umask is defined). When the format is set to directory, pg_back ensures
 # the top-level directory is traversable by adding execute (+x) permission
-# if read (r) or write (w) permission is set. This does not affect the
+# if read (r) or write (w) permission is set and it set the configured
 # permissions of files inside the directory.
 backup_file_mode = 0600