client/nix_netrc: Set permission to 0600 on creation and write

2023-01-02 05:08:07 -07:00 · 2023-01-02 05:08:07 -07:00 · 70ed477208
parent 384e7aa92d
commit 70ed477208
1 changed files with 22 additions and 2 deletions
--- a/client/src/nix_netrc.rs
+++ b/client/src/nix_netrc.rs
@ -8,12 +8,18 @@

 use std::collections::HashMap;
 use std::fmt;
+use std::fs::Permissions;
+use std::os::unix::fs::PermissionsExt;
 use std::path::{Path, PathBuf};

 use anyhow::{anyhow, Result};
-use tokio::fs;
+use tokio::fs::{self, OpenOptions};
+use tokio::io::AsyncWriteExt;
 use xdg::BaseDirectories;

+/// The permission the configuration file should have.
+const FILE_MODE: u32 = 0o600;
+
 #[derive(Debug)]
 pub struct NixNetrc {
    /// Path to write the modified netrc back to.
@ -64,7 +70,21 @@ impl NixNetrc {
        if let Some(path) = &self.path {
            let mut content = String::new();
            serialize_machines(&mut content, &self.machines)?;
-            fs::write(path, content).await?;
+
+            // This isn't atomic, so some other process might chmod it
+            // to something else before we write. We don't handle this case.
+            if path.exists() {
+                let permissions = Permissions::from_mode(FILE_MODE);
+                fs::set_permissions(path, permissions).await?;
+            }
+
+            let mut file = OpenOptions::new()
+                .create(true)
+                .write(true)
+                .mode(FILE_MODE)
+                .open(path).await?;
+
+            file.write_all(content.as_bytes()).await?;
            Ok(())
        } else {
            Err(anyhow!("Don't know how to save the netrc"))