Better rwx checks

This commit is contained in:
Edward Shen 2023-07-28 02:04:51 -07:00
parent f138148581
commit 514f83f90c
Signed by: edward
GPG key ID: 0A400FFE10097C30

View file

@ -528,13 +528,25 @@ fn load_config_from_path<P: AsRef<Path>>(path: P) -> Option<Config> {
// mode is a u32, but only the bottom 9 bits represent the
// permissions. Mask and keep the bits we care about.
let current_mode = metadata.permissions().mode() & 0o777;
if current_mode != 0o600 {
debug!(found = format!("{current_mode:o}"), "Metadata bits");
// Check if it's readable by others
if (current_mode & 0o077) > 0 {
warn!(
found = format!("{current_mode:o}"),
expected = "600",
"File permissions too broad! Your GLOBAL Cloudflare API key is accessible to all users on the system!"
);
}
// Check if executable bit is set
if (current_mode & 0o100) != 0 {
warn!(
found = format!("{current_mode:o}"),
expected = "600",
"Config file has executable bit set"
);
}
}
Err(e) => {
warn!("Failed to read metadata for file: {e}");