Skip to content

Use 0644 instead of 0666 for file mode in openFile#87

Closed
campoy wants to merge 3 commits intomasterfrom
fix/file-permissions
Closed

Use 0644 instead of 0666 for file mode in openFile#87
campoy wants to merge 3 commits intomasterfrom
fix/file-permissions

Conversation

@campoy
Copy link
Copy Markdown
Owner

@campoy campoy commented Apr 11, 2026

Summary

Change the permission mode passed to os.OpenFile in the openFile helper from 0666 (world-writable) to 0644 (owner read/write, group and world read-only).

On systems with a permissive umask — common in Docker containers and some CI runners — 0666 leaves files rewritten by embedmd -w world-writable, allowing any local user to tamper with them. 0644 is the conventional mode for non-executable source and documentation files.

A TestOpenFilePermissions test is added to verify the file opened by the production os.OpenFile call has no group/world write bits set.

Test plan

  • TestOpenFilePermissions — stat a real temp file after opening it and assert mode & 0022 == 0
  • All existing tests continue to pass (go test ./...)

Closes #82

Francesc Campoy added 3 commits April 10, 2026 18:21
Use 0644 instead of 0666 for file mode in openFile
4455a8c 
On systems with a permissive umask (e.g. Docker containers), 0666
produces world-writable files. 0644 is the conventional permission
for non-executable source files.

Closes #82
Preserve original file permissions when rewriting
a95c0e5 
Stat the file before opening it, then explicitly Chmod it back to the
original mode after writing. This makes permission preservation robust
and explicit, rather than relying on the implicit behaviour of the OS
when writing to an already-open file handle.

The mode argument to os.OpenFile is dropped (set to 0) since it has no
effect when O_CREATE is absent. The Chmod call is now the authoritative
place where the file's mode is handled.
Use mode 0 in openFile to clarify permissions are not set
5883771 
os.OpenFile without O_CREATE never modifies an existing file's
permissions — WriteAt and Truncate don't either — so the mode
argument of 0666 was both misleading and a no-op. Passing 0 makes
it explicit that no permission bits are being set here.
@campoy
Copy link
Copy Markdown
Owner Author

campoy commented Apr 11, 2026

After further analysis this fix is not needed.

os.OpenFile without O_CREATE never creates a file — it only opens an existing one. The mode argument (third parameter) is only consulted by the kernel when a new file is being created. Since embedmd -w always operates on pre-existing markdown files, the 0666 value was completely inert: it had no effect on any file's permissions at any point.

WriteAt and Truncate on an already-open file handle also do not touch permissions. The file's permissions are preserved implicitly by the OS throughout the rewrite, with no action needed on our part.

The only change that makes sense here is replacing 0666 with 0 to make it obvious the argument is intentionally unused, which is done in the final commit on this branch — but that is a cosmetic clarification, not a security fix. Closing in favour of the issue explanation.

@campoy campoy closed this Apr 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

openFile uses mode 0666, leaving rewritten files world-writable

1 participant

@campoy