Follow-on to #1. validate.py::check_config_permissions checks the project config file and its immediate parent (the per-project dir) but not ~/.config/pwrap itself.
A group- or world-writable ~/.config/pwrap would let another user add new project configs (visible to pwrap --list, loadable by name). Even if the per-project dir is 0700, a sibling with attacker-chosen contents can be created under the config root.
Walk up to the user's config root and apply the same (0o002|0o020) → SystemExit rule. ensure_templates() in scaffold.py creates the root with default umask, so it should also chmod 0o700 up front (same pattern as commit for #1).
Follow-on to #1.
validate.py::check_config_permissionschecks the project config file and its immediate parent (the per-project dir) but not~/.config/pwrapitself.A group- or world-writable
~/.config/pwrapwould let another user add new project configs (visible topwrap --list, loadable by name). Even if the per-project dir is 0700, a sibling with attacker-chosen contents can be created under the config root.Walk up to the user's config root and apply the same
(0o002|0o020) → SystemExitrule.ensure_templates()inscaffold.pycreates the root with default umask, so it should also chmod 0o700 up front (same pattern as commit for #1).