Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chezmoi edit-config-template creates initial template with world-writable permissions #3781

Closed
Tblue opened this issue May 27, 2024 · 2 comments · Fixed by #3782
Closed

chezmoi edit-config-template creates initial template with world-writable permissions #3781

Tblue opened this issue May 27, 2024 · 2 comments · Fixed by #3782
Labels
bug Something isn't working

Comments

@Tblue
Copy link

Tblue commented May 27, 2024

Describe the bug

When ~/.config/chezmoi/chezmoi.toml already exists in the target directory, but its template does not yet exist in the source directory, and one then runs chezmoi edit-config-template, then the config template in the source directory is created with world-writable permissions. This happens even with an umask of e.g. 022.

To reproduce

  • Ensure .chezmoi.toml.tmpl does not exist in the source directory.

  • Ensure ~/.config/chezmoi/chezmoi.toml does exist in the target directory.

  • Ensure umask removes world-writable permissions.

  • Run: chezmoi edit-config-template, and save the file.

  • Observe that .chezmoi.toml.tmpl in the source directory now has world-writable permissions:

    -rw-rw-rw- 1 tilman tilman 275 27. Mai 18:19 /home/tilman/.local/share/chezmoi/.chezmoi.toml.tmpl

Expected behavior

.chezmoi.toml.tmpl in the source directory should have secure permissions: It should not be world-writable, just like its rendered version in the target directory.

Output of command with the --verbose flag

$ chezmoi edit-config-template --verbose --no-pager
diff --git a/ b/
old mode 40755
new mode 40777
diff --git a/.chezmoi.toml.tmpl b/.chezmoi.toml.tmpl
new file mode 100666
index 0000000000000000000000000000000000000000..ae616fe89038d1e735b72546b1140266d083e99a
--- /dev/null
+++ b/.chezmoi.toml.tmpl
@@ -0,0 +1,12 @@
+# ~/.config/chezmoi/chezmoi.toml
+# vim: tw=79
+#
+# See: https://www.chezmoi.io/reference/configuration-file
+#
+# Adheres to TOML v1 syntax: https://toml.io/en/v1.0.0
+
+encryption = "gpg"
+gpg.recipient = "[REDACTED]"
+
+[git]
+autoAdd = true

Output of chezmoi doctor

I ran this after the steps used to reproduce the bug, but running it before gives the same output.

$ chezmoi doctor
RESULT    CHECK                       MESSAGE
warning   version                     v2.48.1, built at 2024-05-13T12:57:01Z
ok        latest-version              v2.48.1
ok        os-arch                     linux/amd64 (Arch Linux)
ok        uname                       Linux gumshoe 6.9.2-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 26 May 2024 01:30:29 +0000 x86_64 GNU/Linux
ok        go-version                  go1.22.3 (gc)
ok        executable                  /usr/bin/chezmoi
ok        config-file                 ~/.config/chezmoi/chezmoi.toml, last modified 2024-05-27T17:43:40+02:00
warning   source-dir                  ~/.local/share/chezmoi is a git working tree (dirty)
ok        suspicious-entries          no suspicious entries
warning   working-tree                ~/.local/share/chezmoi is a git working tree (dirty)
ok        dest-dir                    ~ is a directory
ok        umask                       022
ok        cd-command                  found /bin/zsh
ok        cd-args                     /bin/zsh
info      diff-command                not set
ok        edit-command                found /usr/bin/vim
ok        edit-args                   /usr/bin/vim
ok        git-command                 found /usr/bin/git, version 2.45.1
ok        merge-command               found /usr/bin/vimdiff
ok        shell-command               found /bin/zsh
ok        shell-args                  /bin/zsh
info      age-command                 age not found in $PATH
ok        gpg-command                 found /usr/bin/gpg, version 2.4.5
info      pinentry-command            not set
ok        1password-command           found ~/bin/op, version 2.29.0
info      bitwarden-command           bw not found in $PATH
info      bitwarden-secrets-command   bws not found in $PATH
info      dashlane-command            dcli not found in $PATH
info      doppler-command             doppler not found in $PATH
info      gopass-command              gopass not found in $PATH
info      keepassxc-command           keepassxc-cli not found in $PATH
info      keepassxc-db                not set
info      keeper-command              keeper not found in $PATH
info      lastpass-command            lpass not found in $PATH
info      pass-command                pass not found in $PATH
info      passhole-command            ph not found in $PATH
info      rbw-command                 rbw not found in $PATH
info      vault-command               vault not found in $PATH
info      vlt-command                 vlt not found in $PATH
info      secret-command              not set

Additional context

Only tested with the .toml template, but I'd assume this applies to any configuration language.
@twpayne twpayne added the bug Something isn't working label May 27, 2024
@Tblue
Copy link
Author

Tblue commented May 27, 2024

The issue appears to be:

chezmoi/internal/cmd/editconfigtemplatecmd.go

Line 50 in 8f72b73

if err := c.sourceSystem.WriteFile(configTemplateAbsPath, data, 0o666); err != nil {

A bit of digging reveals this completely ignores the umask, and uses the permissions exactly as specified:

chezmoi/internal/chezmoi/realsystem_unix.go

Lines 134 to 137 in 8f72b73

// Set permissions after truncation but before writing any data, in case the
// file contained private data before, but before writing the new contents,
// in case the new contents contain private data after.
if err = f.Chmod(perm); err != nil {

@twpayne twpayne mentioned this issue May 27, 2024
Merged
@twpayne
Copy link
Owner

twpayne commented May 27, 2024

Thanks for the thorough report! Your analysis was correct. This, and an equivalent bug in chezmoi edit are fixed in #3782.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Respect umask when creating files twpayne/chezmoi
2 participants
@twpayne @Tblue