fix(gui): write config files with owner-only permissions

m3nu · m3nu · commit 2935f9b5ffe8 · 2026-04-23T08:51:28.000+01:00
The built-in editor's save path and the first-run starter config previously used std::fs::write, leaving configs at the default 0644 and leaking repository paths and credentials to other local users. Route both sites through new write_tmp_secure / create_new_config_secure helpers that fchmod to 0o600 on the open fd before any write_all, so sensitive contents never exist on disk at a wider mode — including the stale-tmp overwrite case that OpenOptions::mode silently ignores. Fixes #109.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/vykar-gui/Cargo.toml b/crates/vykar-gui/Cargo.toml
@@ -44,3 +44,6 @@ objc2-app-kit = { version = "0.3", features = ["NSApplication", "NSResponder", "
 [build-dependencies]
 slint-build = "1.15"
 winresource = "0.1"
+
+[dev-dependencies]
+tempfile = { workspace = true }
diff --git a/crates/vykar-gui/src/config_helpers.rs b/crates/vykar-gui/src/config_helpers.rs
@@ -1,8 +1,46 @@
-use std::path::PathBuf;
+use std::io::{self, Write};
+use std::path::{Path, PathBuf};
 
 use vykar_core::app;
 use vykar_core::config;
 
+fn finish_secure_write(mut file: std::fs::File, contents: &[u8]) -> io::Result<()> {
+    // fchmod before writing so contents never exist at a wider mode.
+    // apply_mode_fd is a no-op on non-Unix.
+    vykar_core::platform::fs::apply_mode_fd(&file, 0o600)?;
+    file.write_all(contents)?;
+    file.sync_all()
+}
+
+/// Create a new config file with owner-only permissions (0o600 on Unix).
+/// Fails with AlreadyExists if `path` already exists.
+pub(crate) fn create_new_config_secure(path: &Path, contents: &[u8]) -> io::Result<()> {
+    let mut opts = std::fs::OpenOptions::new();
+    opts.write(true).create_new(true);
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::OpenOptionsExt;
+        opts.mode(0o600);
+    }
+    let file = opts.open(path)?;
+    finish_secure_write(file, contents)
+}
+
+/// Overwrite `path` with `contents`, applying owner-only permissions (0o600)
+/// via fchmod on the open fd before writing. Tolerates a stale file already
+/// present at `path` — intended for tmp files in an atomic-rename flow.
+pub(crate) fn write_tmp_secure(path: &Path, contents: &[u8]) -> io::Result<()> {
+    let mut opts = std::fs::OpenOptions::new();
+    opts.write(true).create(true).truncate(true);
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::OpenOptionsExt;
+        opts.mode(0o600);
+    }
+    let file = opts.open(path)?;
+    finish_secure_write(file, contents)
+}
+
 /// Load and fully validate a config file: parse YAML, check non-empty, validate schedule.
 /// Returns the parsed repos or a human-readable error string.
 pub(crate) fn validate_config(
@@ -73,7 +111,7 @@ pub(crate) fn resolve_or_create_config(
             if let Some(parent) = path.parent() {
                 std::fs::create_dir_all(parent)?;
             }
-            std::fs::write(&path, config::minimal_config_template())?;
+            create_new_config_secure(&path, config::minimal_config_template().as_bytes())?;
             path
         } else {
             // No user-level path available, fall through to file picker
@@ -106,3 +144,56 @@ pub(crate) fn resolve_or_create_config(
     };
     Ok(app::RuntimeConfig { source, repos })
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[cfg(unix)]
+    fn mode_of(path: &Path) -> u32 {
+        use std::os::unix::fs::PermissionsExt;
+        std::fs::metadata(path).unwrap().permissions().mode()
+    }
+
+    #[test]
+    fn write_tmp_secure_overrides_stale_wide_mode() {
+        let dir = tempfile::tempdir().unwrap();
+        let tmp_path = dir.path().join("config.yaml.tmp");
+
+        std::fs::write(&tmp_path, b"leaked-old").unwrap();
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            std::fs::set_permissions(&tmp_path, std::fs::Permissions::from_mode(0o644)).unwrap();
+        }
+
+        write_tmp_secure(&tmp_path, b"fresh").unwrap();
+
+        #[cfg(unix)]
+        assert_eq!(mode_of(&tmp_path) & 0o077, 0);
+        assert_eq!(std::fs::read(&tmp_path).unwrap(), b"fresh");
+    }
+
+    #[test]
+    fn create_new_config_secure_fresh_mode() {
+        let dir = tempfile::tempdir().unwrap();
+        let path = dir.path().join("config.yaml");
+
+        create_new_config_secure(&path, b"template").unwrap();
+
+        #[cfg(unix)]
+        assert_eq!(mode_of(&path) & 0o077, 0);
+        assert_eq!(std::fs::read(&path).unwrap(), b"template");
+    }
+
+    #[test]
+    fn create_new_config_secure_refuses_to_clobber() {
+        let dir = tempfile::tempdir().unwrap();
+        let path = dir.path().join("config.yaml");
+        std::fs::write(&path, b"original").unwrap();
+
+        let err = create_new_config_secure(&path, b"new").unwrap_err();
+        assert_eq!(err.kind(), io::ErrorKind::AlreadyExists);
+        assert_eq!(std::fs::read(&path).unwrap(), b"original");
+    }
+}
diff --git a/crates/vykar-gui/src/worker/config_cmds.rs b/crates/vykar-gui/src/worker/config_cmds.rs
@@ -35,7 +35,7 @@ pub(super) fn handle_switch_config(ctx: &mut WorkerContext) {
 pub(super) fn handle_save_and_apply_config(ctx: &mut WorkerContext, yaml_text: String) {
     let config_path = ctx.config_display_path.clone();
     let tmp_path = config_path.with_extension("yaml.tmp");
-    if let Err(e) = std::fs::write(&tmp_path, &yaml_text) {
+    if let Err(e) = config_helpers::write_tmp_secure(&tmp_path, yaml_text.as_bytes()) {
         let _ = ctx
             .ui_tx
             .send(UiEvent::ConfigSaveError(format!("Write failed: {e}")));
