Merge pull request #19 from sorah/runtime-chmod

ensure runtime_dir is 0700

src/cmd/agent.rs

@@ -18,6 +18,7 @@ pub fn run(args: &AgentArgs) -> Result<(), anyhow::Error> {
 
     protect_process();
     crate::config::cache_dir_mkpath()?;
+    crate::config::runtime_dir_mkpath()?;
 
     if args.daemonize {
         return serve_on_path_daemon(path);

src/config.rs

@@ -55,23 +55,34 @@ pub fn trust_dir_mkpath() -> std::io::Result<std::path::PathBuf> {
 pub fn runtime_dir() -> std::path::PathBuf {
     match std::env::var("XDG_RUNTIME_DIR") {
         Ok(d) => std::path::PathBuf::from(d).join(env!("CARGO_PKG_NAME")),
-        Err(_) => config_dir().join("run"),
+        Err(_) => state_dir().join("run"),
     }
 }
+
+const RUNTIME_DIR_MODE: nix::sys::stat::Mode = nix::sys::stat::Mode::S_IRWXU;
+
 pub fn runtime_dir_mkpath() -> std::io::Result<std::path::PathBuf> {
     let dir = runtime_dir();
-    std::fs::create_dir_all(&dir)?;
+    if dir.exists() {
+        use std::os::unix::fs::PermissionsExt;
+        #[allow(clippy::useless_conversion)] // u16 to u32 on macOS, u32 to u32 on Linux
+        std::fs::set_permissions(
+            &dir,
+            std::fs::Permissions::from_mode(RUNTIME_DIR_MODE.bits().into()),
+        )?;
+    } else {
+        if let Some(parent) = dir.parent() {
+            std::fs::create_dir_all(parent)?;
+        }
+        nix::unistd::mkdir(&dir, RUNTIME_DIR_MODE)?;
+    }
     Ok(dir)
 }
 
 pub fn socket_path() -> std::path::PathBuf {
     std::env::var("MAIRU_AGENT_SOCK")
         .map(|x| x.into())
-        .unwrap_or_else(|_| {
-            runtime_dir_mkpath()
-                .unwrap()
-                .join(format!("{}-agent.sock", env!("CARGO_PKG_NAME")))
-        })
+        .unwrap_or_else(|_| runtime_dir().join(format!("{}-agent.sock", env!("CARGO_PKG_NAME"))))
 }
 
 #[derive(serde::Serialize, serde::Deserialize, Clone)]