diff options
| author | ojacobson <ojacobson@noreply.codeberg.org> | 2025-07-23 00:05:17 +0200 |
|---|---|---|
| committer | ojacobson <ojacobson@noreply.codeberg.org> | 2025-07-23 00:05:17 +0200 |
| commit | 64639acbab02aa4103cbe44199e38991269b2137 (patch) | |
| tree | 7996fdc7d2034c9da85b4d7d2ad5ebbbdc6a2804 /Cargo.toml | |
| parent | 0867790d87ebbbedb6b20b52139055e109031033 (diff) | |
| parent | dc240ca270f86552e999c81d864b4cb0c687a88e (diff) | |
Add a `--umask` option to determine what permissions new files/databases get.
The new `--umask` option takes one of three values:
* `--umask masked`, the default, takes the inherited umask and forces o+rwx on.
* `--umask inherit` takes the inherited umask as-is.
* `--umask OCTAL` sets the umask to exactly `OCTAL` and is broadly equivalent to `umask OCTAL && pilcrow --umask inherit`.
This fell out of a conversation with @wlonk, who is working on notifications. Since notifications may require [VAPID] keys, the server will need a way to store those keys. That would generally be "in the pilcrow database," which lead me to the observation that Pilcrow creates that database as world-readable by default. "World-readable" and "encryption/signing keys" are not things that belong in the same sentence.
[VAPID]: https://datatracker.ietf.org/doc/html/rfc8292
The most "obvious" solution would be to set the permissions used for the sqlite database when it's created. That's harder than it sounds: sqlite has no built-in facility for doing this. The closest thing that exists today is the [`modeof`] query parameter, which copies the permissions (and ownership) from some other file. We also can't reliably set the permissions ourselves, as sqlite may - depending on build options and configuration - [create multiple files][wal].
[`modeof`]: https://www.sqlite.org/uri.html
[wal]: https://www.sqlite.org/wal.html
Using `umask` is a whole-process solution to this. As Pilcrow doesn't attempt to create other files, there's little issue with doing it this way, but this is a design risk for future work if it creates files that are _intended_ to be readable by more than just the Pilcrow daemon user.
Merges options-umask into main.
Diffstat (limited to 'Cargo.toml')
| -rw-r--r-- | Cargo.toml | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -32,6 +32,7 @@ headers = "0.4.0" hex-literal = "0.4.1" itertools = "0.14.0" mime = "0.3.17" +nix = { version = "0.30.1", features = ["fs"] } password-hash = { version = "0.5.0", features = ["std"] } rand = "0.8.5" rand_core = { version = "0.6.4", features = ["getrandom"] } |