From dc240ca270f86552e999c81d864b4cb0c687a88e Mon Sep 17 00:00:00 2001
From: Owen Jacobson <owen@grimoire.ca>
Date: Fri, 18 Jul 2025 00:08:39 -0400
Subject: Add a `--umask` option to determine what permissions new
 files/databases get.

The new `--umask` option takes one of three values:

* `--umask masked`, the default, takes the inherited umask and forces o+rwx on.
* `--umask inherit` takes the inherited umask as-is.
* `--umask OCTAL` sets the umask to exactly `OCTAL` and is broadly equivalent to `umask OCTAL && pilcrow --umask inherit`.

This fell out of a conversation with @wlonk, who is working on notifications. Since notifications may require [VAPID] keys, the server will need a way to store those keys. That would generally be "in the pilcrow database," which lead me to the observation that Pilcrow creates that database as world-readable by default. "World-readable" and "encryption/signing keys" are not things that belong in the same sentence.

[VAPID]: https://datatracker.ietf.org/doc/html/rfc8292

The most "obvious" solution would be to set the permissions used for the sqlite database when it's created. That's harder than it sounds: sqlite has no built-in facility for doing this. The closest thing that exists today is the [`modeof`] query parameter, which copies the permissions (and ownership) from some other file. We also can't reliably set the permissions ourselves, as sqlite may - depending on build options and configuration - [create multiple files][wal].

[`modeof`]: https://www.sqlite.org/uri.html
[wal]: https://www.sqlite.org/wal.html

Using `umask` is a whole-process solution to this. As Pilcrow doesn't attempt to create other files, there's little issue with doing it this way, but this is a design risk for future work if it creates files that are _intended_ to be readable by more than just the Pilcrow daemon user.
---
 Cargo.toml | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Cargo.toml')

diff --git a/Cargo.toml b/Cargo.toml
index fe5c90b..beb83b3 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -32,6 +32,7 @@ headers = "0.4.0"
 hex-literal = "0.4.1"
 itertools = "0.14.0"
 mime = "0.3.17"
+nix = { version = "0.30.1", features = ["fs"] }
 password-hash = { version = "0.5.0", features = ["std"] }
 rand = "0.8.5"
 rand_core = { version = "0.6.4", features = ["getrandom"] }
-- 
cgit v1.2.3