`chezmoi edit-config-template` creates initial template with world-writable permissions
Tblue opened this issue · comments
Describe the bug
When ~/.config/chezmoi/chezmoi.toml already exists in the target directory, but its template does not yet exist in the source directory, and one then runs chezmoi edit-config-template, then the config template in the source directory is created with world-writable permissions. This happens even with an umask of e.g. 022.
To reproduce
-
Ensure
.chezmoi.toml.tmpldoes not exist in the source directory. -
Ensure
~/.config/chezmoi/chezmoi.tomldoes exist in the target directory. -
Ensure
umaskremoves world-writable permissions. -
Run:
chezmoi edit-config-template, and save the file. -
Observe that
.chezmoi.toml.tmplin the source directory now has world-writable permissions:-rw-rw-rw- 1 tilman tilman 275 27. Mai 18:19 /home/tilman/.local/share/chezmoi/.chezmoi.toml.tmpl
Expected behavior
.chezmoi.toml.tmpl in the source directory should have secure permissions: It should not be world-writable, just like its rendered version in the target directory.
Output of command with the --verbose flag
$ chezmoi edit-config-template --verbose --no-pager
diff --git a/ b/
old mode 40755
new mode 40777
diff --git a/.chezmoi.toml.tmpl b/.chezmoi.toml.tmpl
new file mode 100666
index 0000000000000000000000000000000000000000..ae616fe89038d1e735b72546b1140266d083e99a
--- /dev/null
+++ b/.chezmoi.toml.tmpl
@@ -0,0 +1,12 @@
+# ~/.config/chezmoi/chezmoi.toml
+# vim: tw=79
+#
+# See: https://www.chezmoi.io/reference/configuration-file
+#
+# Adheres to TOML v1 syntax: https://toml.io/en/v1.0.0
+
+encryption = "gpg"
+gpg.recipient = "[REDACTED]"
+
+[git]
+autoAdd = trueOutput of chezmoi doctor
I ran this after the steps used to reproduce the bug, but running it before gives the same output.
$ chezmoi doctor
RESULT CHECK MESSAGE
warning version v2.48.1, built at 2024-05-13T12:57:01Z
ok latest-version v2.48.1
ok os-arch linux/amd64 (Arch Linux)
ok uname Linux gumshoe 6.9.2-arch1-1 #1 SMP PREEMPT_DYNAMIC Sun, 26 May 2024 01:30:29 +0000 x86_64 GNU/Linux
ok go-version go1.22.3 (gc)
ok executable /usr/bin/chezmoi
ok config-file ~/.config/chezmoi/chezmoi.toml, last modified 2024-05-27T17:43:40+02:00
warning source-dir ~/.local/share/chezmoi is a git working tree (dirty)
ok suspicious-entries no suspicious entries
warning working-tree ~/.local/share/chezmoi is a git working tree (dirty)
ok dest-dir ~ is a directory
ok umask 022
ok cd-command found /bin/zsh
ok cd-args /bin/zsh
info diff-command not set
ok edit-command found /usr/bin/vim
ok edit-args /usr/bin/vim
ok git-command found /usr/bin/git, version 2.45.1
ok merge-command found /usr/bin/vimdiff
ok shell-command found /bin/zsh
ok shell-args /bin/zsh
info age-command age not found in $PATH
ok gpg-command found /usr/bin/gpg, version 2.4.5
info pinentry-command not set
ok 1password-command found ~/bin/op, version 2.29.0
info bitwarden-command bw not found in $PATH
info bitwarden-secrets-command bws not found in $PATH
info dashlane-command dcli not found in $PATH
info doppler-command doppler not found in $PATH
info gopass-command gopass not found in $PATH
info keepassxc-command keepassxc-cli not found in $PATH
info keepassxc-db not set
info keeper-command keeper not found in $PATH
info lastpass-command lpass not found in $PATH
info pass-command pass not found in $PATH
info passhole-command ph not found in $PATH
info rbw-command rbw not found in $PATH
info vault-command vault not found in $PATH
info vlt-command vlt not found in $PATH
info secret-command not setAdditional context
Only tested with the .toml template, but I'd assume this applies to any configuration language.
The issue appears to be:
A bit of digging reveals this completely ignores the umask, and uses the permissions exactly as specified:
chezmoi/internal/chezmoi/realsystem_unix.go
Lines 134 to 137 in 8f72b73
