From d7bba325a73b1898edfa4299c4525749e174bbac Mon Sep 17 00:00:00 2001
From: Reto <reto@labrat.space>
Date: Tue, 12 Apr 2022 02:47:22 +0200
Subject: [PATCH] Fix user file permissions on create (#4507)

User files contain secrets and should be protected.
Chances are that the user folder can be protected as well,
so let's do that if TL is creating the folder.
---
 src/clientManager.js            | 8 ++++++--
 src/command-line/start.js       | 2 +-
 src/command-line/users/reset.js | 4 +++-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/clientManager.js b/src/clientManager.js
index 1cc1c2fc..e90489ea 100644
--- a/src/clientManager.js
+++ b/src/clientManager.js
@@ -173,7 +173,9 @@ ClientManager.prototype.addUser = function (name, password, enableLog) {
 	};
 
 	try {
-		fs.writeFileSync(userPath, JSON.stringify(user, null, "\t"));
+		fs.writeFileSync(userPath, JSON.stringify(user, null, "\t"), {
+			mode: 0o600,
+		});
 	} catch (e) {
 		log.error(`Failed to create user ${colors.green(name)} (${e})`);
 		throw e;
@@ -235,7 +237,9 @@ ClientManager.prototype.saveUser = function (client, callback) {
 	try {
 		// Write to a temp file first, in case the write fails
 		// we do not lose the original file (for example when disk is full)
-		fs.writeFileSync(pathTemp, newUser);
+		fs.writeFileSync(pathTemp, newUser, {
+			mode: 0o600,
+		});
 		fs.renameSync(pathTemp, pathReal);
 
 		return callback ? callback() : true;
diff --git a/src/command-line/start.js b/src/command-line/start.js
index 2c6825d8..524b6503 100644
--- a/src/command-line/start.js
+++ b/src/command-line/start.js
@@ -31,5 +31,5 @@ function initalizeConfig() {
 		log.info(`Configuration file created at ${colors.green(Helper.getConfigPath())}.`);
 	}
 
-	fs.mkdirSync(Helper.getUsersPath(), {recursive: true});
+	fs.mkdirSync(Helper.getUsersPath(), {recursive: true, mode: 0o700});
 }
diff --git a/src/command-line/users/reset.js b/src/command-line/users/reset.js
index f7c1cbac..bcf9ea76 100644
--- a/src/command-line/users/reset.js
+++ b/src/command-line/users/reset.js
@@ -63,7 +63,9 @@ function change(name, password) {
 
 	// Write to a temp file first, in case the write fails
 	// we do not lose the original file (for example when disk is full)
-	fs.writeFileSync(pathTemp, newUser);
+	fs.writeFileSync(pathTemp, newUser, {
+		mode: 0o600,
+	});
 	fs.renameSync(pathTemp, pathReal);
 
 	log.info(`Successfully reset password for ${colors.bold(name)}.`);