fix(security): harden token file permissions (closes #2)

- save_restore_token: use create_new(true) + mode(0o600) for exclusive
  atomic file creation, preventing symlink attacks and predictable
  temp file exploitation
- token_path: return Option, eliminate insecure /tmp fallback
- load_restore_token: reject insecure files (symlinks, wrong owner,
  group/world-readable permissions)
- Directory creation uses DirBuilderExt::mode(0o700) bypassing umask
- Added verify_secure_dir and ensure_secure_parent with full metadata
  validation (owner, permissions, symlink rejection)
- Added 11 regression tests covering all security scenarios

This commit is contained in:

dailz

2026-06-06 11:05:00 +08:00

parent 46367ef6b5

commit 9a5b09cd7f

3 changed files with 306 additions and 10 deletions

1

Cargo.lock generated

View File

@@ -2505,6 +2505,7 @@ dependencies = [
  "signal-hook",
  "signal-hook-mio",
  "str0m",
  "tempfile",
  "tokio",
  "tracing",
  "tracing-subscriber",

fix(security): harden token file permissions (closes #2)

1 Cargo.lock generated Unescape Escape View File

1

Cargo.lock generated

View File