diff --git a/CHANGELOG.md b/CHANGELOG.md index 052625f..9bee751 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +Thank you to Jan Stępień for contributing to this release. + +### Fixed +* set permissions for generated key files so only owner can read them ## [3.3.0] - 2023-03-18 Thank you to @equalsraf, @michaelnordmeyer and @wanderer1988 for contributing to this release. diff --git a/src/main.rs b/src/main.rs index 6a49c0f..9e4cb5e 100644 --- a/src/main.rs +++ b/src/main.rs @@ -34,7 +34,7 @@ use { #[cfg(unix)] use { - std::os::unix::fs::FileTypeExt, + std::os::unix::fs::{FileTypeExt, PermissionsExt}, tokio::net::{UnixListener, UnixStream}, }; @@ -320,11 +320,20 @@ fn args() -> Result { )))?; cert_file.write_all(&cert.serialize_der()?)?; // write key data to disk - let mut key_file = File::create(certs_path.join(format!( - "{}/{}", - domain, - certificates::KEY_FILE_NAME - )))?; + let key_file_path = + certs_path.join(format!("{}/{}", domain, certificates::KEY_FILE_NAME)); + let mut key_file = File::create(&key_file_path)?; + #[cfg(unix)] + { + // set permissions so only owner can read + match key_file.set_permissions(std::fs::Permissions::from_mode(0o400)) { + Ok(_) => (), + Err(_) => log::warn!( + "could not set permissions for new key file {}", + key_file_path.display() + ), + } + } key_file.write_all(&cert.serialize_private_key_der())?; reload_certs = true;