Use restrictive permissions (0700) for cache directories (#714)

rdimitrov · web-flow · commit f400bf4c2047 · 2026-01-21T10:32:40.000+02:00
Signed-off-by: Radoslav Dimitrov &lt;radoslav@stacklok.com&gt;
diff --git a/metadata/config/config.go b/metadata/config/config.go
@@ -84,7 +84,12 @@ func (cfg *UpdaterConfig) EnsurePathsExist() error {
 	}
 
 	for _, path := range []string{cfg.LocalMetadataDir, cfg.LocalTargetsDir} {
-		if err := os.MkdirAll(path, os.ModePerm); err != nil {
+		// Use 0700 for cache directories: only the owner can read, write, and
+		// access the directory. This prevents other users on shared systems from
+		// reading or writing to the TUF cache, which could be a security risk.
+		// If different permissions are needed, pre-create the directories with
+		// the desired permissions before calling this function.
+		if err := os.MkdirAll(path, 0700); err != nil {
 			return err
 		}
 	}
diff --git a/metadata/multirepo/multirepo.go b/metadata/multirepo/multirepo.go
@@ -351,7 +351,12 @@ func (cfg *MultiRepoConfig) EnsurePathsExist() error {
 		return nil
 	}
 	for _, path := range []string{cfg.LocalMetadataDir, cfg.LocalTargetsDir} {
-		err := os.MkdirAll(path, os.ModePerm)
+		// Use 0700 for cache directories: only the owner can read, write, and
+		// access the directory. This prevents other users on shared systems from
+		// reading or writing to the TUF cache, which could be a security risk.
+		// If different permissions are needed, pre-create the directories with
+		// the desired permissions before calling this function.
+		err := os.MkdirAll(path, 0700)
 		if err != nil {
 			return err
 		}

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,12 @@ func (cfg *UpdaterConfig) EnsurePathsExist() error {`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`for _, path := range []string{cfg.LocalMetadataDir, cfg.LocalTargetsDir} {`
`87`		`- if err := os.MkdirAll(path, os.ModePerm); err != nil {`
	`87`	`+ // Use 0700 for cache directories: only the owner can read, write, and`
	`88`	`+ // access the directory. This prevents other users on shared systems from`
	`89`	`+ // reading or writing to the TUF cache, which could be a security risk.`
	`90`	`+ // If different permissions are needed, pre-create the directories with`
	`91`	`+ // the desired permissions before calling this function.`
	`92`	`+ if err := os.MkdirAll(path, 0700); err != nil {`
`88`	`93`	`return err`
`89`	`94`	`}`
`90`	`95`	`}`
Original file line number	Diff line number	Diff line change
`@@ -351,7 +351,12 @@ func (cfg *MultiRepoConfig) EnsurePathsExist() error {`
`351`	`351`	`return nil`
`352`	`352`	`}`
`353`	`353`	`for _, path := range []string{cfg.LocalMetadataDir, cfg.LocalTargetsDir} {`
`354`		`- err := os.MkdirAll(path, os.ModePerm)`
	`354`	`+ // Use 0700 for cache directories: only the owner can read, write, and`
	`355`	`+ // access the directory. This prevents other users on shared systems from`
	`356`	`+ // reading or writing to the TUF cache, which could be a security risk.`
	`357`	`+ // If different permissions are needed, pre-create the directories with`
	`358`	`+ // the desired permissions before calling this function.`
	`359`	`+ err := os.MkdirAll(path, 0700)`
`355`	`360`	`if err != nil {`
`356`	`361`	`return err`
`357`	`362`	`}`