Skip to content

Set more restrictive permission when creating the config directory and key files on unix.#2415

Merged
fnando merged 4 commits into
mainfrom
change-permissions
Mar 3, 2026
Merged

Set more restrictive permission when creating the config directory and key files on unix.#2415
fnando merged 4 commits into
mainfrom
change-permissions

Conversation

@fnando
Copy link
Copy Markdown
Member

@fnando fnando commented Feb 25, 2026
edited
Loading

What

As the title describes it.

Why

So config dir and key files are visible only to the owner.

Known limitations

Windows doesn't have something similar that's easily appliable (we may be able to use ACLs, but it's way more complex).

Copilot AI review requested due to automatic review settings February 25, 2026 18:44
@github-project-automation github-project-automation Bot moved this to Backlog (Not Ready) in DevX Feb 25, 2026
@fnando fnando requested review from leighmcculloch and mootz12 and removed request for Copilot February 25, 2026 18:44
@fnando fnando self-assigned this Feb 25, 2026
@fnando fnando moved this from Backlog (Not Ready) to Needs Review in DevX Feb 25, 2026
@fnando fnando enabled auto-merge (squash) February 25, 2026 18:45
leighmcculloch
leighmcculloch approved these changes Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@leighmcculloch leighmcculloch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Some things to consider inline which would make it more secure.

Comment thread cmd/soroban-cli/src/config/locator.rs Outdated
Comment thread cmd/soroban-cli/src/config/locator.rs
Comment thread cmd/soroban-cli/src/config/locator.rs
Comment thread cmd/soroban-cli/src/config/locator.rs Outdated
Copilot AI review requested due to automatic review settings March 3, 2026 17:56
@fnando fnando force-pushed the change-permissions branch from 25e28fb to 2c35918 Compare March 3, 2026 17:56
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens filesystem permissions on Unix to better protect the CLI’s on-disk configuration by ensuring newly created config directories and key files are owner-only.

Changes:

  • Create config directories with 0700 on Unix via DirBuilderExt::mode.
  • Create key TOML files with 0600 on Unix via OpenOptionsExt::mode.
  • Add Unix-only tests asserting directory/file modes.

Comment thread cmd/soroban-cli/src/config/locator.rs
Comment thread cmd/soroban-cli/src/config/locator.rs
@fnando fnando force-pushed the change-permissions branch from 3cadb77 to 3830efd Compare March 3, 2026 18:21
@fnando fnando requested a review from Copilot March 3, 2026 19:01
@fnando fnando merged commit 338515b into main Mar 3, 2026
35 of 37 checks passed
@fnando fnando deleted the change-permissions branch March 3, 2026 19:12
@github-project-automation github-project-automation Bot moved this from Needs Review to Done in DevX Mar 3, 2026
@BrewTestBot BrewTestBot mentioned this pull request Mar 11, 2026
Merged
@fnando fnando review requested due to automatic review settings March 23, 2026 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@leighmcculloch leighmcculloch leighmcculloch approved these changes

@mootz12 mootz12 Awaiting requested review from mootz12

Assignees

@fnando fnando

Labels

None yet

Projects

DevX
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fnando @leighmcculloch