From 70ca9fe8ecb4501bb2981b27749cb64537df8aca Mon Sep 17 00:00:00 2001
From: Tomasz Kramkowski <tomasz@kramkow.ski>
Date: Fri, 27 Jun 2025 18:49:36 +0100
Subject: Complain if config has creds and bad mode

---
 src/config.rs | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

(limited to 'src/config.rs')

diff --git a/src/config.rs b/src/config.rs
index 0f9cff3..00790bd 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -1,8 +1,17 @@
 // SPDX-FileCopyrightText: 2025 Tomasz Kramkowski <tomasz@kramkow.ski>
 // SPDX-License-Identifier: GPL-3.0-or-later
 
-use std::{collections::HashMap, fs, path::Path, process, time::Duration};
+use std::{
+    collections::HashMap,
+    fs::File,
+    io::Read,
+    os::unix::fs::PermissionsExt,
+    path::Path,
+    process,
+    time::Duration,
+};
 
+use anyhow::bail;
 use rumqttc::{AsyncClient, EventLoop, MqttOptions};
 use serde::Deserialize;
 
@@ -54,6 +63,15 @@ impl Config {
 }
 
 pub fn load<P: AsRef<Path>>(path: P) -> anyhow::Result<Config> {
-    let config = fs::read_to_string(&path)?;
-    Ok(toml::from_str(&config)?)
+    let mut f = File::open(path)?;
+    let mut config = String::new();
+    f.read_to_string(&mut config)?;
+    let config: Config = toml::from_str(&config)?;
+    if config.credentials.is_some() {
+        let mode = f.metadata()?.permissions().mode();
+        if mode & 0o044 != 0o000 {
+            bail!("Config file contains credentials while being group or world readable.");
+        }
+    }
+    Ok(config)
 }
-- 
cgit v1.2.3-70-g09d2