harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

fix: handle empty USERNAME and add debug log for icacls success

Browse source 
- Check for empty USERNAME env var before running icacls to avoid a
  doomed invocation with ":F" grant argument
- Log a clear warning when USERNAME is empty
- Add tracing::debug on successful permission set

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fettpl 2026-02-15 00:29:22 +01:00
parent 2942e5607d
commit 6fd4b2d750
1 changed files with 25 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

43
src/security/secrets.rs
View file

@ -191,25 +191,32 @@ impl SecretStore {
#[cfg(windows)]
{
// On Windows, use icacls to restrict permissions to current user only
match std::process::Command::new("icacls")
.arg(&self.key_path)
.args(["/inheritance:r", "/grant:r"])
.arg(format!(
"{}:F",
std::env::var("USERNAME").unwrap_or_default()
))
.output()
{
Ok(o) if !o.status.success() => {
tracing::warn!(
"Failed to set key file permissions via icacls (exit code {:?})",
o.status.code()
);
let username = std::env::var("USERNAME").unwrap_or_default();
if username.is_empty() {
tracing::warn!(
"USERNAME environment variable is empty; \
cannot restrict key file permissions via icacls"
);
} else {
match std::process::Command::new("icacls")
.arg(&self.key_path)
.args(["/inheritance:r", "/grant:r"])
.arg(format!("{username}:F"))
.output()
{
Ok(o) if !o.status.success() => {
tracing::warn!(
"Failed to set key file permissions via icacls (exit code {:?})",
o.status.code()
);
}
Err(e) => {
tracing::warn!("Could not set key file permissions: {e}");
}
_ => {
tracing::debug!("Key file permissions restricted via icacls");
}
}
Err(e) => {
tracing::warn!("Could not set key file permissions: {e}");
}
_ => {}
}
}