Better rwx checks

This commit is contained in:
Edward Shen 2023-07-28 02:04:51 -07:00
parent f138148581
commit 514f83f90c
Signed by: edward
GPG key ID: 0A400FFE10097C30

View file

@ -528,13 +528,25 @@ fn load_config_from_path<P: AsRef<Path>>(path: P) -> Option<Config> {
// mode is a u32, but only the bottom 9 bits represent the // mode is a u32, but only the bottom 9 bits represent the
// permissions. Mask and keep the bits we care about. // permissions. Mask and keep the bits we care about.
let current_mode = metadata.permissions().mode() & 0o777; let current_mode = metadata.permissions().mode() & 0o777;
if current_mode != 0o600 { debug!(found = format!("{current_mode:o}"), "Metadata bits");
// Check if it's readable by others
if (current_mode & 0o077) > 0 {
warn!( warn!(
found = format!("{current_mode:o}"), found = format!("{current_mode:o}"),
expected = "600", expected = "600",
"File permissions too broad! Your GLOBAL Cloudflare API key is accessible to all users on the system!" "File permissions too broad! Your GLOBAL Cloudflare API key is accessible to all users on the system!"
); );
} }
// Check if executable bit is set
if (current_mode & 0o100) != 0 {
warn!(
found = format!("{current_mode:o}"),
expected = "600",
"Config file has executable bit set"
);
}
} }
Err(e) => { Err(e) => {
warn!("Failed to read metadata for file: {e}"); warn!("Failed to read metadata for file: {e}");