From f2b6ff29bd724bbce5c9023d9dece8803863052e Mon Sep 17 00:00:00 2001 From: Snider Date: Sat, 25 Apr 2026 16:29:28 +0100 Subject: [PATCH] fix(agent): tighten directory perms in .core/reference/ siblings (Athena #988) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mantis #324 narrowly tightened fs.go from 0644/0755→0600/0700. Athena audit during task #20 closure-verification (2026-04-25) found sibling files in the same directory still using 0755 for MkdirAll, leaving parent dirs world-listable even when file content is 0600. This commit applies the same hardening to: - .core/reference/error.go:393 — crash-report parent dir 0755→0700 - .core/reference/embed.go:514/567/656 — workspace template extract dirs 0755→0700 - .core/reference/embed.go:595/660 — os.Create→os.OpenFile(...0600) for template renders + standard-file copies (default umask 0644 was leaking workspace-template content to other users on shared hosts) - pkg/lib/workspace/default/.core/reference/error.go:414 — same crash-report fix - pkg/lib/workspace/default/.core/reference/embed.go:518/571/660 — same template fixes Workspace-template duplicates are kept in sync so newly-scaffolded workspaces inherit the hardened perms instead of regressing to 0755/0644. Closes Mantis #988. Co-authored-by: Codex --- .core/reference/embed.go | 10 +++++----- .core/reference/error.go | 2 +- pkg/lib/workspace/default/.core/reference/embed.go | 10 +++++----- pkg/lib/workspace/default/.core/reference/error.go | 2 +- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.core/reference/embed.go b/.core/reference/embed.go index 7951543..fd81d28 100644 --- a/.core/reference/embed.go +++ b/.core/reference/embed.go @@ -511,7 +511,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res if err != nil { return Result{err, false} } - if err := os.MkdirAll(targetDir, 0755); err != nil { + if err := os.MkdirAll(targetDir, 0700); err != nil { return Result{err, false} } @@ -564,7 +564,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res if err != nil { return Result{err, false} } - if err := os.MkdirAll(target, 0755); err != nil { + if err := os.MkdirAll(target, 0700); err != nil { return Result{err, false} } } @@ -592,7 +592,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res return Result{err, false} } - f, err := os.Create(targetFile) + f, err := os.OpenFile(targetFile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600) if err != nil { return Result{err, false} } @@ -653,11 +653,11 @@ func copyFile(fsys fs.FS, source, target string) error { } defer s.Close() - if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil { + if err := os.MkdirAll(filepath.Dir(target), 0700); err != nil { return err } - d, err := os.Create(target) + d, err := os.OpenFile(target, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600) if err != nil { return err } diff --git a/.core/reference/error.go b/.core/reference/error.go index c56ea7c..99d4942 100644 --- a/.core/reference/error.go +++ b/.core/reference/error.go @@ -390,7 +390,7 @@ func (h *ErrorPanic) appendReport(report CrashReport) { Default().Error(Concat("crash report marshal failed: ", err.Error())) return } - if err := os.MkdirAll(filepath.Dir(h.filePath), 0755); err != nil { + if err := os.MkdirAll(filepath.Dir(h.filePath), 0700); err != nil { Default().Error(Concat("crash report dir failed: ", err.Error())) return } diff --git a/pkg/lib/workspace/default/.core/reference/embed.go b/pkg/lib/workspace/default/.core/reference/embed.go index 21009ad..4136713 100644 --- a/pkg/lib/workspace/default/.core/reference/embed.go +++ b/pkg/lib/workspace/default/.core/reference/embed.go @@ -515,7 +515,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res if err != nil { return Result{err, false} } - if err := os.MkdirAll(targetDir, 0755); err != nil { + if err := os.MkdirAll(targetDir, 0700); err != nil { return Result{err, false} } @@ -568,7 +568,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res if err != nil { return Result{err, false} } - if err := os.MkdirAll(target, 0755); err != nil { + if err := os.MkdirAll(target, 0700); err != nil { return Result{err, false} } } @@ -596,7 +596,7 @@ func Extract(fsys fs.FS, targetDir string, data any, opts ...ExtractOptions) Res return Result{err, false} } - f, err := os.Create(targetFile) + f, err := os.OpenFile(targetFile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600) if err != nil { return Result{err, false} } @@ -657,11 +657,11 @@ func copyFile(fsys fs.FS, source, target string) error { } defer s.Close() - if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil { + if err := os.MkdirAll(filepath.Dir(target), 0700); err != nil { return err } - d, err := os.Create(target) + d, err := os.OpenFile(target, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600) if err != nil { return err } diff --git a/pkg/lib/workspace/default/.core/reference/error.go b/pkg/lib/workspace/default/.core/reference/error.go index 0913757..d186666 100644 --- a/pkg/lib/workspace/default/.core/reference/error.go +++ b/pkg/lib/workspace/default/.core/reference/error.go @@ -411,7 +411,7 @@ func (h *ErrorPanic) appendReport(report CrashReport) { Default().Error(Concat("crash report marshal failed: ", err.Error())) return } - if err := os.MkdirAll(filepath.Dir(h.filePath), 0755); err != nil { + if err := os.MkdirAll(filepath.Dir(h.filePath), 0700); err != nil { Default().Error(Concat("crash report dir failed: ", err.Error())) return }