permissions for key files (unix)

Key files are generally created in such a way that only the owner of the file may read it. This is practised by other software, e.g. openssl and thus seems like good behaviour for agate too.
2026-03-25 09:05:50 +00:00 · 2023-07-30 21:01:30 +02:00 · 2023-07-30 21:01:30 +02:00 · 46016d7cd7
commit 46016d7cd7
parent d271413466
2 changed files with 19 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ## [Unreleased]
+Thank you to Jan Stępień for contributing to this release.
+
+### Fixed
+* set permissions for generated key files so only owner can read them

 ## [3.3.0] - 2023-03-18
 Thank you to @equalsraf, @michaelnordmeyer and @wanderer1988 for contributing to this release.
--- a/src/main.rs
+++ b/src/main.rs
@ -34,7 +34,7 @@ use {

 #[cfg(unix)]
 use {
-    std::os::unix::fs::FileTypeExt,
+    std::os::unix::fs::{FileTypeExt, PermissionsExt},
    tokio::net::{UnixListener, UnixStream},
 };

@ -320,11 +320,20 @@ fn args() -> Result<Args> {
                )))?;
                cert_file.write_all(&cert.serialize_der()?)?;
                // write key data to disk
-                let mut key_file = File::create(certs_path.join(format!(
-                    "{}/{}",
-                    domain,
-                    certificates::KEY_FILE_NAME
-                )))?;
+                let key_file_path =
+                    certs_path.join(format!("{}/{}", domain, certificates::KEY_FILE_NAME));
+                let mut key_file = File::create(&key_file_path)?;
+                #[cfg(unix)]
+                {
+                    // set permissions so only owner can read
+                    match key_file.set_permissions(std::fs::Permissions::from_mode(0o400)) {
+                        Ok(_) => (),
+                        Err(_) => log::warn!(
+                            "could not set permissions for new key file {}",
+                            key_file_path.display()
+                        ),
+                    }
+                }
                key_file.write_all(&cert.serialize_private_key_der())?;

                reload_certs = true;