gardesk/garwarp / 78232a1

Browse files

secure runtime dir permissions

Authored by mfwolffe <wolffemf@dukes.jmu.edu>
SHA
78232a1788c24a6ddd6151683399cf5b03329252
Parents
94095a9
Tree
81404ab

1 changed file

StatusFile+-
M garwarp/src/runtime.rs 34 1
garwarp/src/runtime.rsmodified
@@ -37,13 +37,22 @@ impl RuntimePaths {
3737
     }
3838
3939
     pub fn ensure_runtime_dir(&self) -> io::Result<()> {
40
-        fs::create_dir_all(&self.root)
40
+        fs::create_dir_all(&self.root)?;
41
+        #[cfg(unix)]
42
+        {
43
+            use std::os::unix::fs::PermissionsExt;
44
+
45
+            fs::set_permissions(&self.root, fs::Permissions::from_mode(0o700))?;
46
+        }
47
+        Ok(())
4148
     }
4249
 }
4350
4451
 #[cfg(test)]
4552
 mod tests {
53
+    use std::fs;
4654
     use std::path::PathBuf;
55
+    use std::time::{SystemTime, UNIX_EPOCH};
4756
4857
     use super::RuntimePaths;
4958
@@ -64,4 +73,28 @@ mod tests {
6473
             PathBuf::from("/tmp/runtime/garwarp/requests.state")
6574
         );
6675
     }
76
+
77
+    #[cfg(unix)]
78
+    #[test]
79
+    fn ensure_runtime_dir_sets_private_permissions() {
80
+        use std::os::unix::fs::PermissionsExt;
81
+
82
+        let nanos = SystemTime::now()
83
+            .duration_since(UNIX_EPOCH)
84
+            .map_or(0, |duration| duration.as_nanos());
85
+        let base = std::env::temp_dir().join(format!("garwarp-runtime-test-{nanos}"));
86
+        let paths = RuntimePaths::from_base(base.clone());
87
+        paths
88
+            .ensure_runtime_dir()
89
+            .expect("runtime dir should be created");
90
+
91
+        let mode = fs::metadata(&paths.root)
92
+            .expect("runtime metadata should be readable")
93
+            .permissions()
94
+            .mode()
95
+            & 0o777;
96
+        assert_eq!(mode, 0o700);
97
+
98
+        fs::remove_dir_all(base).expect("temp runtime dir should be removed");
99
+    }
67100
 }