From 63a065237aaeaf28ae8c216038c39089c25e1dc9 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <dhh@hey.com>
Date: Sat, 11 Feb 2023 12:56:57 +0100
Subject: [PATCH] Ensure .env file is only accessible to user

---
 lib/mrsk/cli/main.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/mrsk/cli/main.rb b/lib/mrsk/cli/main.rb
index c204a9c8..92e390bc 100644
--- a/lib/mrsk/cli/main.rb
+++ b/lib/mrsk/cli/main.rb
@@ -107,10 +107,14 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
   desc "envify", "Create .env by evaluating .env.erb (or .env.staging.erb -> .env.staging when using -d staging)"
   def envify
     if destination = options[:destination]
-      File.write(".env.#{destination}", ERB.new(IO.read(Pathname.new(File.expand_path(".env.#{destination}.erb")))).result)
+      env_template_path = ".env.#{destination}.erb"
+      env_path          = ".env.#{destination}"
     else
-      File.write(".env", ERB.new(IO.read(Pathname.new(File.expand_path(".env.erb")))).result)
+      env_template_path = ".env.erb"
+      env_path          = ".env"
     end
+
+    File.open(env_path, "w+", 0600) { |env_file| env_file.write ERB.new(Pathname.new(env_template_path).read).result }
   end
 
   desc "remove", "Remove Traefik, app, and registry session from servers"