From edac98ca819a73c3697f6b5e38a0425f11dd98aa Mon Sep 17 00:00:00 2001
From: lxsang <xsang.le@gmail.com>
Date: Sun, 27 Dec 2020 11:49:29 +0100
Subject: [PATCH] setting file should not be readable by other user

---
 os/controllers/SystemController.lua | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/os/controllers/SystemController.lua b/os/controllers/SystemController.lua
index be7c89e..7822b80 100644
--- a/os/controllers/SystemController.lua
+++ b/os/controllers/SystemController.lua
@@ -53,10 +53,12 @@ function SystemController:settings(...)
     if user then
         local ospath = require("vfs").ospath("home:///", user)
         if REQUEST and REQUEST.json then
-            local f = io.open(ospath .. "/" .. ".settings.json", "w")
+            local file_path = ospath .. "/" .. ".settings.json"
+            local f = io.open(file_path, "w")
             if f then
                 f:write(REQUEST.json)
                 f:close()
+                os.execute("chmod o-r "..file_path)
                 result(true)
             else
                 fail("Cannot save setting")