permissions for key files (unix)

Key files are generally created in such a way that only the owner of the file may read it. This is practised by other software, e.g. openssl and thus seems like good behaviour for agate too.
2026-04-08 20:45:29 +00:00 · 2023-07-30 21:01:30 +02:00 · 2023-07-30 21:01:30 +02:00 · 46016d7cd7
commit 46016d7cd7
parent d271413466
2 changed files with 19 additions and 6 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -34,7 +34,7 @@ use {

 #[cfg(unix)]
 use {
-    std::os::unix::fs::FileTypeExt,
+    std::os::unix::fs::{FileTypeExt, PermissionsExt},
    tokio::net::{UnixListener, UnixStream},
 };

@ -320,11 +320,20 @@ fn args() -> Result<Args> {
                )))?;
                cert_file.write_all(&cert.serialize_der()?)?;
                // write key data to disk
-                let mut key_file = File::create(certs_path.join(format!(
-                    "{}/{}",
-                    domain,
-                    certificates::KEY_FILE_NAME
-                )))?;
+                let key_file_path =
+                    certs_path.join(format!("{}/{}", domain, certificates::KEY_FILE_NAME));
+                let mut key_file = File::create(&key_file_path)?;
+                #[cfg(unix)]
+                {
+                    // set permissions so only owner can read
+                    match key_file.set_permissions(std::fs::Permissions::from_mode(0o400)) {
+                        Ok(_) => (),
+                        Err(_) => log::warn!(
+                            "could not set permissions for new key file {}",
+                            key_file_path.display()
+                        ),
+                    }
+                }
                key_file.write_all(&cert.serialize_private_key_der())?;

                reload_certs = true;