Fix user file permissions on create (#4507)

User files contain secrets and should be protected. Chances are that the user folder can be protected as well, so let's do that if TL is creating the folder.
thelounge · Apr 12, 2022 · d7bba32 · d7bba32
1 parent 8153198
commit d7bba32
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/src/clientManager.js b/src/clientManager.js
@@ -173,7 +173,9 @@ ClientManager.prototype.addUser = function (name, password, enableLog) {
 	};
 
 	try {
-		fs.writeFileSync(userPath, JSON.stringify(user, null, "\t"));
+		fs.writeFileSync(userPath, JSON.stringify(user, null, "\t"), {
+			mode: 0o600,
+		});
 	} catch (e) {
 		log.error(`Failed to create user ${colors.green(name)} (${e})`);
 		throw e;
@@ -235,7 +237,9 @@ ClientManager.prototype.saveUser = function (client, callback) {
 	try {
 		// Write to a temp file first, in case the write fails
 		// we do not lose the original file (for example when disk is full)
-		fs.writeFileSync(pathTemp, newUser);
+		fs.writeFileSync(pathTemp, newUser, {
+			mode: 0o600,
+		});
 		fs.renameSync(pathTemp, pathReal);
 
 		return callback ? callback() : true;

diff --git a/src/command-line/start.js b/src/command-line/start.js
@@ -31,5 +31,5 @@ function initalizeConfig() {
 		log.info(`Configuration file created at ${colors.green(Helper.getConfigPath())}.`);
 	}
 
-	fs.mkdirSync(Helper.getUsersPath(), {recursive: true});
+	fs.mkdirSync(Helper.getUsersPath(), {recursive: true, mode: 0o700});
 }
diff --git a/src/command-line/users/reset.js b/src/command-line/users/reset.js
@@ -63,7 +63,9 @@ function change(name, password) {
 
 	// Write to a temp file first, in case the write fails
 	// we do not lose the original file (for example when disk is full)
-	fs.writeFileSync(pathTemp, newUser);
+	fs.writeFileSync(pathTemp, newUser, {
+		mode: 0o600,
+	});
 	fs.renameSync(pathTemp, pathReal);
 
 	log.info(`Successfully reset password for ${colors.bold(name)}.`);