From 6fd4b2d750816f9cd922fab0698b4b411696e301 Mon Sep 17 00:00:00 2001 From: fettpl <38704082+fettpl@users.noreply.github.com> Date: Sun, 15 Feb 2026 00:29:22 +0100 Subject: [PATCH] fix: handle empty USERNAME and add debug log for icacls success - Check for empty USERNAME env var before running icacls to avoid a doomed invocation with ":F" grant argument - Log a clear warning when USERNAME is empty - Add tracing::debug on successful permission set Co-Authored-By: Claude Opus 4.6 --- src/security/secrets.rs | 43 ++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/src/security/secrets.rs b/src/security/secrets.rs index c845bd9..db38972 100644 --- a/src/security/secrets.rs +++ b/src/security/secrets.rs @@ -191,25 +191,32 @@ impl SecretStore { #[cfg(windows)] { // On Windows, use icacls to restrict permissions to current user only - match std::process::Command::new("icacls") - .arg(&self.key_path) - .args(["/inheritance:r", "/grant:r"]) - .arg(format!( - "{}:F", - std::env::var("USERNAME").unwrap_or_default() - )) - .output() - { - Ok(o) if !o.status.success() => { - tracing::warn!( - "Failed to set key file permissions via icacls (exit code {:?})", - o.status.code() - ); + let username = std::env::var("USERNAME").unwrap_or_default(); + if username.is_empty() { + tracing::warn!( + "USERNAME environment variable is empty; \ + cannot restrict key file permissions via icacls" + ); + } else { + match std::process::Command::new("icacls") + .arg(&self.key_path) + .args(["/inheritance:r", "/grant:r"]) + .arg(format!("{username}:F")) + .output() + { + Ok(o) if !o.status.success() => { + tracing::warn!( + "Failed to set key file permissions via icacls (exit code {:?})", + o.status.code() + ); + } + Err(e) => { + tracing::warn!("Could not set key file permissions: {e}"); + } + _ => { + tracing::debug!("Key file permissions restricted via icacls"); + } } - Err(e) => { - tracing::warn!("Could not set key file permissions: {e}"); - } - _ => {} } }