config: fixup file permissions to be more strict

Normally the default in Arch is that all home directories are private. However, this may have been changed locally. To make sure we never expose secrets, lets use a umask of 0077 when writing the config. Additionally add some temporary fixup code to migrate the file and directory permissions of already existing paths. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2023-04-05 22:58:49 +02:00 · 2023-04-05 22:58:49 +02:00 · bc182032eb
parent f3518e248c
commit bc182032eb
1 changed files with 19 additions and 2 deletions
--- a/src/lib/config.sh
+++ b/src/lib/config.sh
@ -14,6 +14,13 @@ readonly XDG_DEVTOOLS_GITLAB_CONFIG="${XDG_DEVTOOLS_DIR}/gitlab.conf"
 export GITLAB_TOKEN=""

 load_devtools_config() {
+	# temporary permission fixup
+	if [[ -d "${XDG_DEVTOOLS_DIR}" ]]; then
+		chmod 700 "${XDG_DEVTOOLS_DIR}"
+	fi
+	if [[ -f "${XDG_DEVTOOLS_GITLAB_CONFIG}" ]]; then
+		chmod 600 "${XDG_DEVTOOLS_GITLAB_CONFIG}"
+	fi
 	if [[ -n "${DEVTOOLS_GITLAB_TOKEN}" ]]; then
 		GITLAB_TOKEN="${DEVTOOLS_GITLAB_TOKEN}"
 		return
@ -26,6 +33,16 @@ load_devtools_config() {
 }

 save_devtools_config() {
-	mkdir -p "${XDG_DEVTOOLS_DIR}"
-	printf 'GITLAB_TOKEN="%s"\n' "${GITLAB_TOKEN}" > "${XDG_DEVTOOLS_GITLAB_CONFIG}"
+	# temporary permission fixup
+	if [[ -d "${XDG_DEVTOOLS_DIR}" ]]; then
+		chmod 700 "${XDG_DEVTOOLS_DIR}"
+	fi
+	if [[ -f "${XDG_DEVTOOLS_GITLAB_CONFIG}" ]]; then
+		chmod 600 "${XDG_DEVTOOLS_GITLAB_CONFIG}"
+	fi
+	(
+		umask 0077
+		mkdir -p "${XDG_DEVTOOLS_DIR}"
+		printf 'GITLAB_TOKEN="%s"\n' "${GITLAB_TOKEN}" > "${XDG_DEVTOOLS_GITLAB_CONFIG}"
+	)
 }