From 514f83f90c4bad0613320129b0bec277c063fe8d Mon Sep 17 00:00:00 2001
From: Edward Shen <code@eddie.sh>
Date: Fri, 28 Jul 2023 02:04:51 -0700
Subject: [PATCH] Better rwx checks

---
 src/main.rs | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/main.rs b/src/main.rs
index fd5d1a0..9b6855d 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -528,13 +528,25 @@ fn load_config_from_path<P: AsRef<Path>>(path: P) -> Option<Config> {
             // mode is a u32, but only the bottom 9 bits represent the
             // permissions. Mask and keep the bits we care about.
             let current_mode = metadata.permissions().mode() & 0o777;
-            if current_mode != 0o600 {
+            debug!(found = format!("{current_mode:o}"), "Metadata bits");
+
+            // Check if it's readable by others
+            if (current_mode & 0o077) > 0 {
                 warn!(
                     found = format!("{current_mode:o}"),
                     expected = "600",
                     "File permissions too broad! Your GLOBAL Cloudflare API key is accessible to all users on the system!"
                 );
             }
+
+            // Check if executable bit is set
+            if (current_mode & 0o100) != 0 {
+                warn!(
+                    found = format!("{current_mode:o}"),
+                    expected = "600",
+                    "Config file has executable bit set"
+                );
+            }
         }
         Err(e) => {
             warn!("Failed to read metadata for file: {e}");