Expand description
Cross-platform file / directory permission tightening for secret-bearing paths (bootstrap seeds, keystores, export bundles).
§Unix
restrict_file_to_owner → chmod 0600, restrict_dir_to_owner →
chmod 0700. Mirrors the discipline already applied inline at
existing call sites.
§Windows
icacls <path> /inheritance:r /grant:r <user>:(F) — removes any
inherited ACEs and replaces the DACL with a single full-control
grant to the current user. This is defence-in-depth on top of the
user-profile defaults (which already keep other local users out,
but inherited admin / Users group grants can slip through on
misconfigured boxes or when the data lives outside the profile).
Shell-out to icacls rather than native SetNamedSecurityInfoW
because icacls is universally available on every supported Windows
version, gets the quirks right (inheritance flags, SID lookup), and
doesn’t force the crate to carry a pile of unsafe Windows API code
on a platform we don’t exercise in CI. A future iteration can swap
to the native API if icacls becomes insufficient.
Errors are non-fatal at call sites: callers log a warning and
continue, matching how the existing Unix PermissionsExt calls are
already wired (best-effort hardening, not a correctness gate).
Functions§
- restrict_
dir_ to_ owner - Restrict
path(a directory) so only the owner can traverse / read / write. On Unix:0700. On Windows: inheritance removed and DACL replaced with full control to the current user only. - restrict_
file_ to_ owner - Restrict
path(a file) so only the owner can read / write.