Skip to content

[Mate] Create scaffolded secrets and log files with restrictive permissions#2247

Open
wachterjohannes wants to merge 2 commits into
symfony:mainfrom
wachterjohannes:vibe/fix-insecure-permissions-85ec43
Open

[Mate] Create scaffolded secrets and log files with restrictive permissions#2247
wachterjohannes wants to merge 2 commits into
symfony:mainfrom
wachterjohannes:vibe/fix-insecure-permissions-85ec43

Conversation

@wachterjohannes

Copy link
Copy Markdown
Contributor
Q A
Bug fix? yes
New feature? no
Docs? no
Issues -
License MIT

Files written by Mate that can hold secrets or local configuration were created with the process default umask (typically world-readable 0644). On a shared/multi-user host, other users could read mate/.env (secrets), mate/config.php, and the debug log.

This PR makes those files owner/group-only:

  • mate init creates mate/.env and mate/config.php with 0640 and the mate/ (and mate/src/) directories with 0750;
  • Logger creates its log file with 0640 (only on first creation) and its log directory with 0750.

The permission modes live in a single Symfony\AI\Mate\Service\FilePermissions holder (FILE, DIRECTORY, EXECUTABLE) used by both classes, so there are no duplicated constants or magic mode literals. Non-sensitive scaffolded files (mcp.json, AGENTS.md, AGENT_INSTRUCTIONS.md, .gitignore) are left at the default — they are typically committed and contain no secrets; bin/codex stays executable (0755).

Hardening is best-effort (@chmod), so it is a no-op on platforms without POSIX permissions rather than a hard failure. Tests assert the resulting permissions for the scaffolded files/directories and the log file/directory (skipped on Windows).

Comment thread src/mate/src/Command/InitCommand.php Outdated
if (!is_dir($mateDir)) {
mkdir($mateDir, 0755, true);
mkdir($mateDir, FilePermissions::DIRECTORY, true);
@chmod($mateDir, FilePermissions::DIRECTORY);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is @chmod needed here, but not for the other mkdir calls? wouldn't expect it is needed at all tbh

@wachterjohannes

Copy link
Copy Markdown
Contributor Author

@chr-hertel You're right, dropped it. mkdir($dir, 0750, true) already sets the mode at creation, and umask can only remove bits — so the dir is never more permissive than 0750 and the chmod was redundant (under a strict umask it'd even loosen 0700 back to 0750). Removed it from both InitCommand and Logger. The chmod on the files stays — copy()/file_put_contents() ignore the mode and create 0644, so that's the bit that actually matters.

…ssions

Files written by mate that can contain secrets or local configuration were
created with the process default (typically world-readable 0644). On shared
hosts other users could read them.

mate init now creates mate/.env and mate/config.php with 0640 and the mate/
directory with 0750; the Logger creates its log file with 0640 and its log
directory with 0750.
mkdir already applies the mode at creation and umask can only remove
bits, so the directory is never more permissive than the requested
0750. The follow-up chmod was redundant (and could even loosen a
stricter umask result), so remove it from InitCommand and Logger. The
chmod on the created files stays, as copy()/file_put_contents() ignore
the mode and default to 0644.
@wachterjohannes wachterjohannes force-pushed the vibe/fix-insecure-permissions-85ec43 branch from b9084fc to a15d35a Compare July 9, 2026 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Bug Something isn't working Mate Issues & PRs about the AI Mate component Status: Needs Review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants