Skip to content

[Security] Credential and config files lack strict file permissions #70

Closed
Closed
[Security] Credential and config files lack strict file permissions#70
Assignees
guima-why
Labels
bugSomething isn't workingsecuritySecurity issues and hardening
@Prodesire

Description

@Prodesire
Prodesire
opened on Jun 3, 2026

Bug Description

File: src/iac_code/config.py:48-51, config.py:250-252, utils/log.py:69-79
Type: Insecure File Permissions (CWE-732)
Severity: Medium
Verified: Confirmed _save_yaml does not call restrict_file_permissions

Problem

.credentials.yml and .cloud-credentials.yml contain plaintext API keys but are written without setting restrictive permissions (0600). On multi-user systems, other users can read these credential files.

Additionally:

  • Configuration directories are created without enforcing 0700
  • Log directories and log files also lack strict permissions
  • If debug logs record prompts, tool parameters, or tool results, sensitive information may be exposed through overly permissive log files

Impact

On shared systems (multi-user servers, CI environments), any local user can read:

  • API keys for LLM providers
  • Cloud credentials (Alibaba Cloud AccessKey, etc.)
  • Potentially sensitive content from debug logs

Expected Behavior

  • Credential files should be created with 0600 permissions (owner read/write only)
  • Configuration and log directories should be created with 0700 permissions
  • After writing, restrict_file_permissions() should be called

Actual Behavior

  • Files are created with default umask permissions (often 0644)
  • No permission restriction is applied after write
  • Any local user may read credential files

Suggested Fix

# After writing credential files
path.write_text(content)
os.chmod(path, 0o600)

# When creating directories
dir_path.mkdir(parents=True, exist_ok=True)
os.chmod(dir_path, 0o700)

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingsecuritySecurity issues and hardening

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions