etckeeper: check out in a safe way?
Etckeeper is great, but it's not clear from the docs, how to check out a commit or a branch directly in /etc in a secure way. The issue is when you do a check out, git doesn't care about metadata and permissions, and you have to restore them using the etckeeper init
command afterwards. It takes them from the .etckeeper
file. This means, that until that moment, sensitive information can be exposed and read by all users in the system.
Here's the relevant part of the documentation:
You can use any git commands you like, but do keep in mind that, if you check out a different branch or an old version, git is operating directly on your system's /etc. If you do decide to check out a branch or tag, make sure you run "etckeeper init" again, to get any metadata changes:
git checkout april_first_joke_etc
etckeeper init
And here's from an answer on the etckeeper's forum, which adds to my confusion:
etckeeper init only restores file permissions when run in an existing repository.
Do note that there's a window where files that are supposed to be private may be exposed, depending on your umask, before the permissions are fixed up. So I can't completely recommend doing this.
The question is: would adding a small step of setting umask 077 temporarily before doing the check out suffice?
umask 077
git checkout april_first_joke_etc
etckeeper init
umask 022 # or whatever it was before, or just quit current session