harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

fix: handle empty USERNAME and add debug log for icacls success

Browse source 
- Check for empty USERNAME env var before running icacls to avoid a
  doomed invocation with ":F" grant argument
- Log a clear warning when USERNAME is empty
- Add tracing::debug on successful permission set

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fettpl 2026-02-15 00:29:22 +01:00
parent 2942e5607d
commit 6fd4b2d750
1 changed files with 25 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/security/secrets.rs
View file

@ -191,13 +191,17 @@ impl SecretStore {
#[cfg(windows)] #[cfg(windows)]
{ {
// On Windows, use icacls to restrict permissions to current user only // On Windows, use icacls to restrict permissions to current user only
let username = std::env::var("USERNAME").unwrap_or_default();
if username.is_empty() {
tracing::warn!(
"USERNAME environment variable is empty; \
cannot restrict key file permissions via icacls"
);
} else {
match std::process::Command::new("icacls") match std::process::Command::new("icacls")
.arg(&self.key_path) .arg(&self.key_path)
.args(["/inheritance:r", "/grant:r"]) .args(["/inheritance:r", "/grant:r"])
.arg(format!( .arg(format!("{username}:F"))
"{}:F",
std::env::var("USERNAME").unwrap_or_default()
))
.output() .output()
{ {
Ok(o) if !o.status.success() => { Ok(o) if !o.status.success() => {
@ -209,7 +213,10 @@ impl SecretStore {
Err(e) => { Err(e) => {
tracing::warn!("Could not set key file permissions: {e}"); tracing::warn!("Could not set key file permissions: {e}");
} }
_ => {} _ => {
tracing::debug!("Key file permissions restricted via icacls");
}
}
} }
} }