~sircmpwn/aerc

aerc: Update on allowing looser permissions without secrets v1 PROPOSED

~ambroisie
Hello,

This is an update to an earlier patch I sent in, where the
configuration is allowed to be used with looser permissions only if
every account uses credential commands (meaning that the configuration
does not contain any secrets).

Respectfully,

Bruno BELANYI (1):
  only error on permission when config has secrets

 config/config.go | 46 +++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 39 insertions(+), 7 deletions(-)

-- 
2.30.2
#511354 .build.yml success
builds.sr.ht
aerc/patches/.build.yml: SUCCESS in 52s

[Update on allowing looser permissions without secrets][0] from [~ambroisie][1]

[0]: https://lists.sr.ht/~sircmpwn/aerc/patches/22875
[1]: mailto:bruno@belanyi.fr

✓ #511354 SUCCESS aerc/patches/.build.yml https://builds.sr.ht/~sircmpwn/job/511354
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~sircmpwn/aerc/patches/22875/mbox | git am -3
Learn more about email & git
View this thread in the archives

[PATCH aerc 1/1] only error on permission when config has secrets Export this patch

~ambroisie
From: Bruno BELANYI <bruno@belanyi.fr>

---
 config/config.go | 46 +++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 39 insertions(+), 7 deletions(-)

diff --git a/config/config.go b/config/config.go
index af9c63b..8cf3f62 100644
--- a/config/config.go
+++ b/config/config.go
@@ -162,7 +162,9 @@ func mapName(raw string) string {
	return string(newstr)
}

func loadAccountConfig(path string) ([]AccountConfig, error) {
// Load account configuration from the path, but do not extract pasword using
// provided commands
func loadAccountConfigPure(path string) ([]AccountConfig, error) {
	file, err := ini.Load(path)
	if err != nil {
		// No config triggers account configuration wizard
@@ -220,21 +222,34 @@ func loadAccountConfig(path string) ([]AccountConfig, error) {
			return nil, fmt.Errorf("Expected from for account %s", _sec)
		}

		accounts = append(accounts, account)
	}
	return accounts, nil
}

func loadAccountConfig(path string) ([]AccountConfig, error) {
	accounts, err := loadAccountConfigPure(path)
	if err != nil {
		return nil, err
	}

	var parsedAccounts []AccountConfig
	for _, account := range accounts {
		source, err := parseCredential(account.Source, account.SourceCredCmd)
		if err != nil {
			return nil, fmt.Errorf("Invalid source credentials for %s: %s", _sec, err)
			return nil, fmt.Errorf("Invalid source credentials for %s: %s", account.Name, err)
		}
		account.Source = source

		outgoing, err := parseCredential(account.Outgoing, account.OutgoingCredCmd)
		if err != nil {
			return nil, fmt.Errorf("Invalid outgoing credentials for %s: %s", _sec, err)
			return nil, fmt.Errorf("Invalid outgoing credentials for %s: %s", account.Name, err)
		}
		account.Outgoing = outgoing

		accounts = append(accounts, account)
		parsedAccounts = append(parsedAccounts, account)
	}
	return accounts, nil

	return parsedAccounts, nil
}

func parseCredential(cred, command string) (string, error) {
@@ -632,6 +647,23 @@ func LoadConfigFromFile(root *string, sharedir string) (*AercConfig, error) {
	return config, nil
}

func hasSecrets(filename string) bool {
	accounts, err := loadAccountConfigPure(filename)
	if err != nil {
		// Conservatively assume that there is a secret on errors
		return true
	}

	for _, account := range accounts {
		if account.SourceCredCmd == "" || account.OutgoingCredCmd == "" {
			return true
		}
	}

	// No secrets have been identified
	return false
}

// checkConfigPerms checks for too open permissions
// printing the fix on stdout and returning an error
func checkConfigPerms(filename string) error {
@@ -641,7 +673,7 @@ func checkConfigPerms(filename string) error {
	}
	perms := info.Mode().Perm()
	// group or others have read access
	if perms&044 != 0 {
	if perms&044 != 0 && hasSecrets(filename) {
		fmt.Fprintf(os.Stderr, "The file %v has too open permissions.\n", filename)
		fmt.Fprintln(os.Stderr, "This is a security issue (it contains passwords).")
		fmt.Fprintf(os.Stderr, "To fix it, run `chmod 600 %v`\n", filename)
-- 
2.30.2
builds.sr.ht
aerc/patches/.build.yml: SUCCESS in 52s

[Update on allowing looser permissions without secrets][0] from [~ambroisie][1]

[0]: https://lists.sr.ht/~sircmpwn/aerc/patches/22875
[1]: mailto:bruno@belanyi.fr

✓ #511354 SUCCESS aerc/patches/.build.yml https://builds.sr.ht/~sircmpwn/job/511354