Skip to content

fix(config): use 0o701 for HERMES_HOME to allow web server traversal#7003

Closed
mvanhorn wants to merge 2 commits into
NousResearch:mainfrom
mvanhorn:fix/6991-secure-dir-traversal
Closed

fix(config): use 0o701 for HERMES_HOME to allow web server traversal#7003
mvanhorn wants to merge 2 commits into
NousResearch:mainfrom
mvanhorn:fix/6991-secure-dir-traversal

Conversation

@mvanhorn

@mvanhorn mvanhorn commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Changes ensure_hermes_home() to set HERMES_HOME to 0o701 instead of 0o700. This preserves owner-only read/write on the directory while allowing other users (like www-data) to traverse it. Subdirectories (cron, sessions, logs, memories) remain at 0o700.

Related Issue

Fixes #6991

Type of Change

  • Bug fix (non-breaking change that fixes an issue)

Changes Made

  • hermes_cli/config.py: Replaced _secure_dir(home) call in ensure_hermes_home() with direct os.chmod(home, 0o701), using the same try/except pattern. Subdirectories still use _secure_dir() (0o700).
  • tests/hermes_cli/test_config.py: Added test_permissions_home_701_and_subdirs_700 verifying the permission split.
  • tests/cron/test_file_permissions.py: Updated existing permission test to expect 0o701 for home.

How to Test

  1. Configure nginx to serve from a subdirectory of ~/.hermes/ (e.g., alias /home/user/.hermes/reports/;)
  2. Restart hermes-gateway
  3. Verify ls -lad ~/.hermes shows drwx-----x (0o701)
  4. Verify ls -lad ~/.hermes/sessions shows drwx------ (0o700)
  5. Verify nginx can serve content from the subdirectory (HTTP 200, not 403)

Checklist

Code

  • I've read the Contributing Guide
  • My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
  • I searched for existing PRs to make sure this isn't a duplicate
  • My PR contains only changes related to this fix/feature (no unrelated commits)
  • I've run pytest tests/ -q and all tests pass
  • I've added tests for my changes (required for bug fixes, strongly encouraged for features)
  • I've tested on my platform: macOS 26.3

Documentation & Housekeeping

  • I've updated relevant documentation (README, docs/, docstrings) — or N/A
  • I've updated cli-config.yaml.example if I added/changed config keys — or N/A
  • I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A

Aware of related PRs #6993 and #6994 which take a different approach (env var override). This PR takes the simpler path of changing the default, since 0o701 (execute-only for others) is the standard Unix pattern for web-serving parent directories and doesn't require configuration.

This contribution was developed with AI assistance (Codex).

mvanhorn added 2 commits April 9, 2026 23:59
@mvanhorn
fix(config): use 0o701 for HERMES_HOME to allow web server traversal
168cfab 
HERMES_HOME was set to 0o700 on every gateway startup, which strips
the other-execute bit needed by web servers (nginx, caddy) to traverse
into served subdirectories. Changed to 0o701 for the top-level directory
only - subdirectories (cron, sessions, logs, memories) remain 0o700.

The execute-only bit on a directory allows cd-through but not listing,
which is the standard Unix pattern for web-serving parent directories.

Fixes NousResearch#6991
@mvanhorn
test: update permissions test for 0o701 home directory
d89c8fc 
The existing test expected 0o700 for HERMES_HOME. Updated to match
the new 0o701 behavior while keeping 0o700 for subdirs.
@mvanhorn mvanhorn mentioned this pull request Apr 10, 2026
Closed
1 task
@teknium1

teknium1 commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

Closing in favor of #6993, which takes a configurable approach (HERMES_HOME_MODE env var) rather than changing the default for all users. Operators who need 0o701 can now set HERMES_HOME_MODE=0701. Your tests were a nice touch — appreciated the thorough approach, @mvanhorn!

@teknium1 teknium1 closed this Apr 10, 2026
@dfrolov dfrolov mentioned this pull request May 14, 2026
Closed
@YonganZhang YonganZhang mentioned this pull request May 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: _secure_dir() resets ~/.hermes to 0700 on every gateway start, breaking nginx serving from subdirectories

2 participants

@mvanhorn @teknium1