config: preserve config file permissions on edits

Users may already store sensitive data such as imap.pass in
.git/config; making the file world-readable when "git config"
is called to edit means their password would be compromised
on a shared system.

[v2: updated for section renames, as noted by Junio]

Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

config.c

@@ -1634,6 +1634,13 @@ int git_config_set_multivar_in_file(const char *config_filename,
 			MAP_PRIVATE, in_fd, 0);
 		close(in_fd);
 
+		if (fchmod(fd, st.st_mode & 07777) < 0) {
+			error("fchmod on %s failed: %s",
+				lock->filename, strerror(errno));
+			ret = CONFIG_NO_WRITE;
+			goto out_free;
+		}
+
 		if (store.seen == 0)
 			store.seen = 1;
 
@@ -1782,6 +1789,7 @@ int git_config_rename_section_in_file(const char *config_filename,
 	int out_fd;
 	char buf[1024];
 	FILE *config_file;
+	struct stat st;
 
 	if (new_name && !section_name_is_ok(new_name)) {
 		ret = error("invalid section name: %s", new_name);
@@ -1803,6 +1811,14 @@ int git_config_rename_section_in_file(const char *config_filename,
 		goto unlock_and_out;
 	}
 
+	fstat(fileno(config_file), &st);
+
+	if (fchmod(out_fd, st.st_mode & 07777) < 0) {
+		ret = error("fchmod on %s failed: %s",
+				lock->filename, strerror(errno));
+		goto out;
+	}
+
 	while (fgets(buf, sizeof(buf), config_file)) {
 		int i;
 		int length;

t/t1300-repo-config.sh

@@ -1154,4 +1154,14 @@ test_expect_failure 'adding a key into an empty section reuses header' '
 	test_cmp expect .git/config
 '
 
+test_expect_success POSIXPERM,PERL 'preserves existing permissions' '
+	chmod 0600 .git/config &&
+	git config imap.pass Hunter2 &&
+	perl -e \
+	  "die q(badset) if ((stat(q(.git/config)))[2] & 07777) != 0600" &&
+	git config --rename-section imap pop &&
+	perl -e \
+	  "die q(badrename) if ((stat(q(.git/config)))[2] & 07777) != 0600"
+'
+
 test_done