From 6f032e3c404502062fc4ceaa51d59b1a6e7f518d Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Sun, 30 Aug 2020 22:45:34 +0200
Subject: [PATCH] lnd: fix mnemonic file access vulnerability

Previously, the file was readable by 'other' for a short time after
creation.
---
 modules/lnd.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/lnd.nix b/modules/lnd.nix
index 621dc03..d32890c 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -174,13 +174,12 @@ in {
             mnemonic=${secretsDir}/lnd-seed-mnemonic
             if [[ ! -f $mnemonic ]]; then
               echo Create lnd seed
-
+              umask u=r,go=
               ${pkgs.curl}/bin/curl -s \
                 --cacert ${secretsDir}/lnd-cert \
                 -X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
             fi
             chown lnd: "$mnemonic"
-            chmod 400 "$mnemonic"
           ''}"
           "${let
             mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet";