CHEF-3134: set FileCache default perms to 0640

Files created by FileCache could be sensitive,
particularly failed-run-data.json which set set to
0640 by this patch, but we also chose to default to
0640 here.

Signed-off-by: Bryan McLellan <btm@opscode.com>

2 files changed, 5 insertions, 3 deletions

diff --git a/chef/lib/chef/file_cache.rb b/chef/lib/chef/file_cache.rb
index a43fe60580..89e934ea05 100644
--- a/chef/lib/chef/file_cache.rb
+++ b/chef/lib/chef/file_cache.rb
@@ -33,10 +33,12 @@ class Chef
       # path<String>:: The path to the file you want to put in the cache - should
       #   be relative to file_cache_path
       # contents<String>:: A string with the contents you want written to the file
+      # perm<String>:: Sets file permission bits. Permission bits are platform
+      #   dependent; on Unix systems, see open(2) for details.
       #
       # === Returns
       # true
-      def store(path, contents)
+      def store(path, contents, perm=0640)
         validate(
           {
             :path => path,
@@ -51,7 +53,7 @@ class Chef
         file_path_array = File.split(path)
         file_name = file_path_array.pop
         cache_path = create_cache_path(File.join(file_path_array))
-        File.open(File.join(cache_path, file_name), "w") do |io|
+        File.open(File.join(cache_path, file_name), "w", perm) do |io|
           io.print(contents)
         end
         true
diff --git a/chef/lib/chef/handler/error_report.rb b/chef/lib/chef/handler/error_report.rb
index dc47ed5024..8bf676418d 100644
--- a/chef/lib/chef/handler/error_report.rb
+++ b/chef/lib/chef/handler/error_report.rb
@@ -24,7 +24,7 @@ class Chef
     class ErrorReport < ::Chef::Handler
 
       def report
-        Chef::FileCache.store("failed-run-data.json", Chef::JSONCompat.to_json_pretty(data))
+        Chef::FileCache.store("failed-run-data.json", Chef::JSONCompat.to_json_pretty(data), 0640)
         Chef::Log.fatal("Saving node information to #{Chef::FileCache.load("failed-run-data.json", false)}")
       end