From 58f5afba8ef924562f5469cf0fc72ec9c7585d09 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 14 Nov 2023 10:28:10 +0100
Subject: [PATCH] config - lock access to root and wheel group (ro), to align
 with backup storage.  closes https://github.com/opnsense/core/issues/6831

---
 src/opnsense/mvc/app/library/OPNsense/Core/Config.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Core/Config.php b/src/opnsense/mvc/app/library/OPNsense/Core/Config.php
index 8aa9b1654..c19782f02 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Core/Config.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Core/Config.php
@@ -609,6 +609,7 @@ class Config extends Singleton
         $fhandle = fopen($this->config_file, "r+");
         if (flock($fhandle, LOCK_EX)) {
             fseek($fhandle, 0);
+            chmod($this->config_file, 0640);
             ftruncate($fhandle, 0);
             fwrite($fhandle, file_get_contents($filename));
             fclose($fhandle);
@@ -720,6 +721,7 @@ class Config extends Singleton
         if ($this->config_file_handle !== null) {
             if (flock($this->config_file_handle, LOCK_EX)) {
                 fseek($this->config_file_handle, 0);
+                chmod($this->config_file, 0640);
                 ftruncate($this->config_file_handle, 0);
                 fwrite($this->config_file_handle, (string)$this);
                 // flush, unlock, but keep the handle open