cuprated: private file permissions (Unix) (#562)

hinto-janai · web-flow · commit 68bd04ec2bcc · 2025-11-26T19:39:32.000Z
* set_private_global_file_permissions()

* clippy expect for Windows

* remove proptest-regression

* add `target_os_lib` feature

* use target_os_lib
diff --git a/binaries/cuprated/Cargo.toml b/binaries/cuprated/Cargo.toml
@@ -38,7 +38,6 @@ cuprate-txpool            = { workspace = true }
 cuprate-types             = { workspace = true, features = ["json"] }
 cuprate-wire              = { workspace = true }
 
-
 # TODO: after v1.0.0, remove unneeded dependencies.
 axum                  = { workspace = true, features = ["tokio", "http1", "http2"] }
 anyhow                = { workspace = true }
diff --git a/binaries/cuprated/src/main.rs b/binaries/cuprated/src/main.rs
@@ -54,6 +54,9 @@ mod txpool;
 mod version;
 
 fn main() {
+    // Set global private permissions for created files.
+    cuprate_helper::fs::set_private_global_file_permissions();
+
     // Initialize global static `LazyLock` data.
     statics::init_lazylock_statics();
 
diff --git a/helper/Cargo.toml b/helper/Cargo.toml
@@ -17,7 +17,7 @@ asynch    = ["dep:futures", "dep:rayon"]
 cast      = []
 constants = []
 crypto    = ["dep:curve25519-dalek", "dep:monero-oxide", "std"]
-fs        = ["dep:dirs", "std"]
+fs        = ["dep:dirs", "std", "dep:target_os_lib"]
 num       = []
 map       = ["cast", "dep:monero-oxide", "dep:cuprate-constants"]
 time      = ["dep:chrono", "std"]
@@ -45,7 +45,7 @@ serde            = { workspace = true, optional = true, features = ["derive"] }
 [target.'cfg(windows)'.dependencies]
 target_os_lib = { package = "windows", version = ">=0.51", features = ["Win32_System_Threading", "Win32_Foundation"], optional = true }
 [target.'cfg(unix)'.dependencies]
-target_os_lib = { package = "libc", version = "0.2.158", optional = true }
+target_os_lib = { package = "libc", version = "0.2", optional = true }
 
 [dev-dependencies]
 tokio            = { workspace = true, features = ["full"] }
diff --git a/helper/src/fs.rs b/helper/src/fs.rs
@@ -230,6 +230,34 @@ pub fn address_book_path(cache_dir: &Path, network: Network) -> PathBuf {
     path_with_network(cache_dir, network).join("addressbook")
 }
 
+// Set global private permissions for created files.
+//
+// # Unix
+// `rwxr-x---`
+//
+// # Windows
+// TODO: does nothing.
+#[cfg_attr(
+    target_os = "windows",
+    expect(
+        clippy::missing_const_for_fn,
+        reason = "remove when Windows is implemented"
+    )
+)]
+pub fn set_private_global_file_permissions() {
+    #[cfg(target_family = "unix")]
+    // SAFETY: calling C.
+    unsafe {
+        target_os_lib::umask(0o027);
+    }
+
+    #[cfg(target_os = "windows")]
+    // TODO: impl for Windows.
+    {
+        use target_os_lib as _;
+    }
+}
+
 //---------------------------------------------------------------------------------------------------- Tests
 #[cfg(test)]
 mod test {
