harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

fix: log warning when Windows key file permissions fail to set

Browse source 
Replace silently discarded icacls result with proper error handling
that logs a tracing::warn! on failure. Previously, if icacls failed
(binary not found, permission denied), the key file would remain
world-readable on Windows with no indication of the problem.

Closes #56

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fettpl 2026-02-14 23:59:36 +01:00
parent 365692853c
commit 2942e5607d
2 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/security/secrets.rs
View file

@ -191,14 +191,26 @@ impl SecretStore {
#[cfg(windows)] #[cfg(windows)]
{ {
// On Windows, use icacls to restrict permissions to current user only // On Windows, use icacls to restrict permissions to current user only
let _ = std::process::Command::new("icacls") match std::process::Command::new("icacls")
.arg(&self.key_path) .arg(&self.key_path)
.args(["/inheritance:r", "/grant:r"]) .args(["/inheritance:r", "/grant:r"])
.arg(format!( .arg(format!(
"{}:F", "{}:F",
std::env::var("USERNAME").unwrap_or_default() std::env::var("USERNAME").unwrap_or_default()
)) ))
.output(); .output()
{
Ok(o) if !o.status.success() => {
tracing::warn!(
"Failed to set key file permissions via icacls (exit code {:?})",
o.status.code()
);
}
Err(e) => {
tracing::warn!("Could not set key file permissions: {e}");
}
_ => {}
}
} }
Ok(key) Ok(key)
@ -241,7 +253,7 @@ fn hex_encode(data: &[u8]) -> String {
/// Hex-decode a hex string to bytes. /// Hex-decode a hex string to bytes.
fn hex_decode(hex: &str) -> Result<Vec<u8>> { fn hex_decode(hex: &str) -> Result<Vec<u8>> {
if hex.len() % 2 != 0 { if !hex.len().is_multiple_of(2) {
anyhow::bail!("Hex string has odd length"); anyhow::bail!("Hex string has odd length");
} }
(0..hex.len()) (0..hex.len())

1
src/tools/browser.rs
View file

@ -366,6 +366,7 @@ impl BrowserTool {
} }
#[async_trait] #[async_trait]
#[allow(clippy::too_many_lines)]
impl Tool for BrowserTool { impl Tool for BrowserTool {
fn name(&self) -> &str { fn name(&self) -> &str {
"browser" "browser"