feat: change global config perm

Avoid the global user config to be system readable, restrict any access to the current user (600). Extends the global_config API to allow to specify a configuration directory to create the configuration file, it's needed for testing.
cloudflare · Jul 16, 2019 · 7740667 · 7740667
1 parent af51230
commit 7740667
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/src/commands/config.rs b/src/commands/config.rs
@@ -1,8 +1,24 @@
 use crate::terminal::message;
+#[cfg(test)]
+use std::env;
 use std::fs;
+use std::fs::File;
+#[cfg(not(target_os = "windows"))]
+use std::os::unix::fs::PermissionsExt;
+use std::path::PathBuf;
 
 use crate::settings::global_user::{get_global_config_dir, GlobalUser};
 
+// set the permissions on the dir, we want to avoid that other user reads to
+// file
+#[cfg(not(target_os = "windows"))]
+pub fn set_file_mode(file: &PathBuf) {
+    File::open(&file)
+        .unwrap()
+        .set_permissions(PermissionsExt::from_mode(0o600))
+        .expect("could not set permissions on file");
+}
+
 pub fn global_config(email: &str, api_key: &str) -> Result<(), failure::Error> {
     let s = GlobalUser {
         email: email.to_string(),
@@ -17,6 +33,10 @@ pub fn global_config(email: &str, api_key: &str) -> Result<(), failure::Error> {
     let config_file = config_dir.join("default.toml");
     fs::write(&config_file, &toml)?;
 
+    // set permissions on the file
+    #[cfg(not(target_os = "windows"))]
+    set_file_mode(&config_file);
+
     message::success(&format!(
         "Successfully configured. You can find your configuration file at: {}",
         &config_file.to_string_lossy()

diff --git a/tests/config.rs b/tests/config.rs
@@ -1,6 +1,7 @@
 use assert_cmd::prelude::*;
 use std::env;
 use std::fs;
+use std::fs::File;
 use std::io::prelude::*;
 use std::process::{Child, Command, Stdio};
 
@@ -33,6 +34,17 @@ api_key = "b"
 "#
     );
 
+    // check dir permissions (but not on windows)
+    if !cfg!(target_os = "windows") {
+        let mut command = Command::new("stat");
+        command.arg("-c");
+        command.arg("%a %n");
+        command.arg(&config_file);
+        let out = String::from_utf8(command.output().expect("could not stat file").stdout).unwrap();
+        // stat format is: "mode file"
+        assert!(out.starts_with("600"));
+    }
+
     fs::remove_dir_all(&fake_home_dir).expect("could not delete dir");
 }