fix(install): restrict ~/.hermes/.env to owner-only permissions (0600)#25560
Closed
alaamohanad169-ship-it wants to merge 1 commit into
Closed
fix(install): restrict ~/.hermes/.env to owner-only permissions (0600)#25560alaamohanad169-ship-it wants to merge 1 commit into
alaamohanad169-ship-it wants to merge 1 commit into
Conversation
The installer creates ~/.hermes/.env via cp or touch, both of which inherit the process umask. On Ubuntu (umask 0022) the result is 0644; on some server environments with umask 0002 the result is 0664. No explicit chmod was applied after file creation, leaving API keys and tokens visible to other users on the system. Add chmod 0600 immediately after .env creation in copy_config_templates(), with a || true fallback for NixOS/containers where the activation script owns permissions. Also tightens permissions when the file already exists, so users with 0664 on disk are hardened on next upgrade. Fixes NousResearch#25477
Collaborator
Contributor
|
Thanks — closing in favor of #25562 (vanthinh6886) which lands the same 0600 fix for #25477 plus also patches the Python |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #25477 — installer leaves
~/.hermes/.envworld/group-readable, exposing API keys.Root Cause
The installer uses
cpandtouchto create~/.hermes/.env, both of which inherit the process umask. On Ubuntu (umask 0022) the result is 0644; on some server environments with umask 0002 the result is 0664. No explicitchmodwas applied after file creation, leaving platform tokens, API keys, and Slack tokens visible to other users on the system.The Python layer (
_secure_file()inhermes_cli/config.py) already applies 0o600 on every subsequent write viasave_env_value()andsanitize_env_file()— but the install script's initial file creation was never covered.Fix
Add
chmod 0600 "$HERMES_HOME/.env"immediately after the file is created incopy_config_templates(), with a|| truefallback to stay safe on NixOS managed installs and containers where the activation script owns permissions.The fix also tightens permissions when the file already exists (the
elsebranch), so users who installed a previous version and have 0664 on disk are hardened on their next upgrade — without any user action required.Before / After
Testing
bash -n scripts/install.sh→ OK (shell syntax valid)