Reduce permissions for created files on Unix-like platforms

autonomys · Dec 17, 2023 · 926a824 · 926a824
1 parent b7dee4d
commit 926a824
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/src/backend.rs b/src/backend.rs
@@ -28,6 +28,8 @@ use subspace_farmer::NodeRpcClient;
 use subspace_networking::libp2p::identity::ed25519::{Keypair, SecretKey};
 use subspace_networking::{Node, NodeRunner};
 use tokio::fs;
+use tokio::fs::OpenOptions;
+use tokio::io::AsyncWriteExt;
 use tokio::runtime::Handle;
 use tracing::{error, info_span, warn, Instrument};
 
@@ -657,7 +659,14 @@ async fn create_networking_stack(
             })?;
         }
 
-        fs::write(&keypair_path, network_keypair.secret())
+        let mut options = OpenOptions::new();
+        options.write(true).truncate(true).create(true);
+        #[cfg(unix)]
+        options.mode(0x600);
+        options
+            .open(&keypair_path)
+            .await?
+            .write_all(network_keypair.secret().as_ref())
             .await
             .map_err(|error| {
                 anyhow::anyhow!(

diff --git a/src/backend/config.rs b/src/backend/config.rs
@@ -7,6 +7,8 @@ use std::str::FromStr;
 use subspace_core_primitives::PublicKey;
 use subspace_farmer::utils::ss58::{parse_ss58_reward_address, Ss58ParsingError};
 use tokio::fs;
+use tokio::fs::OpenOptions;
+use tokio::io::AsyncWriteExt;
 
 // TODO: Replace with `DiskFarm`
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -94,11 +96,19 @@ impl RawConfig {
     }
 
     pub async fn write_to_path(&self, config_file_path: &Path) -> io::Result<()> {
-        fs::write(
-            config_file_path,
-            serde_json::to_string_pretty(self).expect("Config serialization is infallible; qed"),
-        )
-        .await
+        let mut options = OpenOptions::new();
+        options.write(true).truncate(true).create(true);
+        #[cfg(unix)]
+        options.mode(0x600);
+        options
+            .open(config_file_path)
+            .await?
+            .write_all(
+                serde_json::to_string_pretty(self)
+                    .expect("Config serialization is infallible; qed")
+                    .as_bytes(),
+            )
+            .await
     }
 
     pub fn reward_address(&self) -> &str {

diff --git a/src/main.rs b/src/main.rs
@@ -610,7 +610,7 @@ fn supervisor() -> io::Result<()> {
             ContentLimit::Bytes(LOG_FILE_LIMIT_SIZE),
             Compression::OnRotate(0),
             #[cfg(unix)]
-            None,
+            Some(0o600),
         )
     });