commit 46016d7cd7b2348ba6262493749e5ecac6712235
parent d27141346664c1ef136320b9a11a009ba8077e1f
Author: Johann150 <johann.galle@protonmail.com>
Date: Sun, 30 Jul 2023 21:01:30 +0200
permissions for key files (unix)
Key files are generally created in such a way that only the owner
of the file may read it. This is practised by other software, e.g.
openssl and thus seems like good behaviour for agate too.
Diffstat:
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
+Thank you to Jan Stępień for contributing to this release.
+
+### Fixed
+* set permissions for generated key files so only owner can read them
## [3.3.0] - 2023-03-18
Thank you to @equalsraf, @michaelnordmeyer and @wanderer1988 for contributing to this release.
diff --git a/src/main.rs b/src/main.rs
@@ -34,7 +34,7 @@ use {
#[cfg(unix)]
use {
- std::os::unix::fs::FileTypeExt,
+ std::os::unix::fs::{FileTypeExt, PermissionsExt},
tokio::net::{UnixListener, UnixStream},
};
@@ -320,11 +320,20 @@ fn args() -> Result<Args> {
)))?;
cert_file.write_all(&cert.serialize_der()?)?;
// write key data to disk
- let mut key_file = File::create(certs_path.join(format!(
- "{}/{}",
- domain,
- certificates::KEY_FILE_NAME
- )))?;
+ let key_file_path =
+ certs_path.join(format!("{}/{}", domain, certificates::KEY_FILE_NAME));
+ let mut key_file = File::create(&key_file_path)?;
+ #[cfg(unix)]
+ {
+ // set permissions so only owner can read
+ match key_file.set_permissions(std::fs::Permissions::from_mode(0o400)) {
+ Ok(_) => (),
+ Err(_) => log::warn!(
+ "could not set permissions for new key file {}",
+ key_file_path.display()
+ ),
+ }
+ }
key_file.write_all(&cert.serialize_private_key_der())?;
reload_certs = true;
