From 44746e793b8953f237410e537bcee72020ec9d0a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 13 Sep 2022 15:45:10 +0200
Subject: [PATCH] allow processes to read from secrets directory

---
 watcher.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/watcher.go b/watcher.go
index cad08bb..6579e66 100644
--- a/watcher.go
+++ b/watcher.go
@@ -175,7 +175,10 @@ func (s *server) setupWatcher(dir string) error {
 		return fmt.Errorf("Failed to initialize inotify: %v", err)
 	}
 	flags := uint32(syscall.IN_CREATE | syscall.IN_MOVED_TO | syscall.IN_ONLYDIR)
-	res := os.MkdirAll(dir, 0o700)
+
+	// Allow processes to read files from this directory if they have the
+	// permissions on the files, but don't allow them to list files in it.
+	res := os.MkdirAll(dir, 0o711)
 	if err != nil && !os.IsNotExist(res) {
 		return fmt.Errorf("Failed to create secret directory: %v", err)
 	}