config: fixup file permissions to be more strict

Normally the default in Arch is that all home directories are private.
However, this may have been changed locally. To make sure we never
expose secrets, lets use a umask of 0077 when writing the config.

Additionally add some temporary fixup code to migrate the file and
directory permissions of already existing paths.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

1 files changed, 19 insertions, 2 deletions

diff --git a/src/lib/config.sh b/src/lib/config.sh
index ba6532e..b09479a 100644
--- a/src/lib/config.sh
+++ b/src/lib/config.sh
@@ -14,6 +14,13 @@ readonly XDG_DEVTOOLS_GITLAB_CONFIG="${XDG_DEVTOOLS_DIR}/gitlab.conf"
 export GITLAB_TOKEN=""
 
 load_devtools_config() {
+	# temporary permission fixup
+	if [[ -d "${XDG_DEVTOOLS_DIR}" ]]; then
+		chmod 700 "${XDG_DEVTOOLS_DIR}"
+	fi
+	if [[ -f "${XDG_DEVTOOLS_GITLAB_CONFIG}" ]]; then
+		chmod 600 "${XDG_DEVTOOLS_GITLAB_CONFIG}"
+	fi
 	if [[ -n "${DEVTOOLS_GITLAB_TOKEN}" ]]; then
 		GITLAB_TOKEN="${DEVTOOLS_GITLAB_TOKEN}"
 		return
@@ -26,6 +33,16 @@ load_devtools_config() {
 }
 
 save_devtools_config() {
-	mkdir -p "${XDG_DEVTOOLS_DIR}"
-	printf 'GITLAB_TOKEN="%s"\n' "${GITLAB_TOKEN}" > "${XDG_DEVTOOLS_GITLAB_CONFIG}"
+	# temporary permission fixup
+	if [[ -d "${XDG_DEVTOOLS_DIR}" ]]; then
+		chmod 700 "${XDG_DEVTOOLS_DIR}"
+	fi
+	if [[ -f "${XDG_DEVTOOLS_GITLAB_CONFIG}" ]]; then
+		chmod 600 "${XDG_DEVTOOLS_GITLAB_CONFIG}"
+	fi
+	(
+		umask 0077
+		mkdir -p "${XDG_DEVTOOLS_DIR}"
+		printf 'GITLAB_TOKEN="%s"\n' "${GITLAB_TOKEN}" > "${XDG_DEVTOOLS_GITLAB_CONFIG}"
+	)
 }