harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

fix: handle empty USERNAME and add debug log for icacls success

Browse source 
- Check for empty USERNAME env var before running icacls to avoid a
  doomed invocation with ":F" grant argument
- Log a clear warning when USERNAME is empty
- Add tracing::debug on successful permission set

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fettpl 2026-02-15 00:29:22 +01:00
parent 2942e5607d
commit 6fd4b2d750
1 changed files with 25 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

43
src/security/secrets.rs
View file

@ -191,25 +191,32 @@ impl SecretStore {
#[cfg(windows)] #[cfg(windows)]
{ {
// On Windows, use icacls to restrict permissions to current user only // On Windows, use icacls to restrict permissions to current user only
match std::process::Command::new("icacls") let username = std::env::var("USERNAME").unwrap_or_default();
.arg(&self.key_path) if username.is_empty() {
.args(["/inheritance:r", "/grant:r"]) tracing::warn!(
.arg(format!( "USERNAME environment variable is empty; \
"{}:F", cannot restrict key file permissions via icacls"
std::env::var("USERNAME").unwrap_or_default() );
)) } else {
.output() match std::process::Command::new("icacls")
{ .arg(&self.key_path)
Ok(o) if !o.status.success() => { .args(["/inheritance:r", "/grant:r"])
tracing::warn!( .arg(format!("{username}:F"))
"Failed to set key file permissions via icacls (exit code {:?})", .output()
o.status.code() {
); Ok(o) if !o.status.success() => {
tracing::warn!(
"Failed to set key file permissions via icacls (exit code {:?})",
o.status.code()
);
}
Err(e) => {
tracing::warn!("Could not set key file permissions: {e}");
}
_ => {
tracing::debug!("Key file permissions restricted via icacls");
}
} }
Err(e) => {
tracing::warn!("Could not set key file permissions: {e}");
}
_ => {}
} }
} }