Skip to content

[Mate] Create scaffolded secrets and log files with restrictive permissions#2247

Open
wachterjohannes wants to merge 1 commit into
symfony:mainfrom
wachterjohannes:vibe/fix-insecure-permissions-85ec43
Open

[Mate] Create scaffolded secrets and log files with restrictive permissions#2247
wachterjohannes wants to merge 1 commit into
symfony:mainfrom
wachterjohannes:vibe/fix-insecure-permissions-85ec43

Conversation

@wachterjohannes

Copy link
Copy Markdown
Contributor
Q A
Bug fix? yes
New feature? no
Docs? no
Issues -
License MIT

Files written by Mate that can hold secrets or local configuration were created with the process default umask (typically world-readable 0644). On a shared/multi-user host, other users could read mate/.env (secrets), mate/config.php, and the debug log.

This PR makes those files owner/group-only:

  • mate init creates mate/.env and mate/config.php with 0640 and the mate/ (and mate/src/) directories with 0750;
  • Logger creates its log file with 0640 (only on first creation) and its log directory with 0750.

The permission modes live in a single Symfony\AI\Mate\Service\FilePermissions holder (FILE, DIRECTORY, EXECUTABLE) used by both classes, so there are no duplicated constants or magic mode literals. Non-sensitive scaffolded files (mcp.json, AGENTS.md, AGENT_INSTRUCTIONS.md, .gitignore) are left at the default — they are typically committed and contain no secrets; bin/codex stays executable (0755).

Hardening is best-effort (@chmod), so it is a no-op on platforms without POSIX permissions rather than a hard failure. Tests assert the resulting permissions for the scaffolded files/directories and the log file/directory (skipped on Windows).

…ssions

Files written by mate that can contain secrets or local configuration were
created with the process default (typically world-readable 0644). On shared
hosts other users could read them.

mate init now creates mate/.env and mate/config.php with 0640 and the mate/
directory with 0750; the Logger creates its log file with 0640 and its log
directory with 0750.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Bug Something isn't working Mate Issues & PRs about the AI Mate component Status: Needs Review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants