Automatically tighten the data directory permissions and create new configs with secure defaults to keep upgrades painless.

algis-dumbris · algis-dumbris · commit 3d511abf954a · 2025-10-25T21:19:52.000+03:00
diff --git a/internal/config/loader.go b/internal/config/loader.go
@@ -39,7 +39,7 @@ func LoadFromFile(configPath string) (*Config, error) {
 	}
 
 	// Create data directory if it doesn't exist
-	if err := os.MkdirAll(cfg.DataDir, 0755); err != nil {
+	if err := os.MkdirAll(cfg.DataDir, 0700); err != nil {
 		return nil, fmt.Errorf("failed to create data directory %s: %w", cfg.DataDir, err)
 	}
 
@@ -91,7 +91,7 @@ func Load() (*Config, error) {
 			}
 
 			// Create data directory if it doesn't exist
-			if err := os.MkdirAll(cfg.DataDir, 0755); err != nil {
+			if err := os.MkdirAll(cfg.DataDir, 0700); err != nil {
 				return nil, fmt.Errorf("failed to create data directory %s: %w", cfg.DataDir, err)
 			}
 
@@ -124,7 +124,7 @@ func Load() (*Config, error) {
 	}
 
 	// Create data directory if it doesn't exist
-	if err := os.MkdirAll(cfg.DataDir, 0755); err != nil {
+	if err := os.MkdirAll(cfg.DataDir, 0700); err != nil {
 		return nil, fmt.Errorf("failed to create data directory %s: %w", cfg.DataDir, err)
 	}
 
@@ -350,7 +350,7 @@ func SaveConfig(cfg *Config, path string) error {
 
 	// Ensure directory exists
 	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, 0755); err != nil {
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		fmt.Printf("[DEBUG] SaveConfig - MkdirAll failed: %v\n", err)
 		return fmt.Errorf("failed to create config directory: %w", err)
 	}
diff --git a/internal/runtime/apply_config_restart_test.go b/internal/runtime/apply_config_restart_test.go
@@ -138,7 +138,7 @@ func TestApplyConfig_SaveFailure(t *testing.T) {
 	err = os.Chmod(tmpDir, 0555)
 	require.NoError(t, err)
 	defer func() {
-		_ = os.Chmod(tmpDir, 0755)
+		_ = os.Chmod(tmpDir, 0700)
 	}()
 
 	// Create new config
diff --git a/internal/server/listener_permissions_unix.go b/internal/server/listener_permissions_unix.go
@@ -26,12 +26,38 @@ func validateDataDirectoryPermissionsPlatform(dataDir string, info os.FileInfo,
 	// Unix: Check permissions are secure (0700 or stricter)
 	perm := info.Mode().Perm()
 	if perm&0077 != 0 {
-		return fmt.Errorf(
-			"data directory has insecure permissions %#o, must be 0700 or stricter\n"+
-				"Security risk: Other users can access mcpproxy data and control socket\n"+
-				"To fix, run: chmod 0700 %s",
-			perm, dataDir,
-		)
+		logger.Warn("Data directory has insecure permissions; attempting automatic repair",
+			zap.String("path", dataDir),
+			zap.String("current_permissions", fmt.Sprintf("%#o", perm)))
+
+		if err := os.Chmod(dataDir, 0700); err != nil {
+			return fmt.Errorf(
+				"data directory has insecure permissions %#o, must be 0700 or stricter\n"+
+					"automatic repair failed: %w\n"+
+					"Security risk: Other users can access mcpproxy data and control socket\n"+
+					"To fix manually, run: chmod 0700 %s",
+				perm, err, dataDir,
+			)
+		}
+
+		updatedInfo, err := os.Stat(dataDir)
+		if err != nil {
+			return fmt.Errorf("failed to recheck data directory after permission repair: %w", err)
+		}
+		perm = updatedInfo.Mode().Perm()
+		if perm&0077 != 0 {
+			return fmt.Errorf(
+				"data directory remains with insecure permissions %#o even after automatic repair, must be 0700 or stricter\n"+
+					"Security risk: Other users can access mcpproxy data and control socket\n"+
+					"To fix manually, run: chmod 0700 %s",
+				perm, dataDir,
+			)
+		}
+
+		logger.Info("Data directory permissions tightened automatically",
+			zap.String("path", dataDir),
+			zap.String("permissions", fmt.Sprintf("%#o", perm)))
+		return nil
 	}
 
 	logger.Info("Data directory security validation passed",
diff --git a/internal/server/listener_test.go b/internal/server/listener_test.go
@@ -167,9 +167,11 @@ func TestValidateDataDirectory_InsecurePermissions(t *testing.T) {
 	require.NoError(t, err)
 
 	err = ValidateDataDirectory(tmpDir, logger)
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "insecure permissions")
-	assert.Contains(t, err.Error(), "chmod 0700")
+	require.NoError(t, err)
+
+	info, statErr := os.Stat(tmpDir)
+	require.NoError(t, statErr)
+	assert.Equal(t, os.FileMode(0700), info.Mode().Perm(), "validate should tighten permissions automatically")
 }
 
 func TestValidateDataDirectory_CreateIfNotExists(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ func LoadFromFile(configPath string) (*Config, error) {`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`// Create data directory if it doesn't exist`
`42`		`- if err := os.MkdirAll(cfg.DataDir, 0755); err != nil {`
	`42`	`+ if err := os.MkdirAll(cfg.DataDir, 0700); err != nil {`
`43`	`43`	`return nil, fmt.Errorf("failed to create data directory %s: %w", cfg.DataDir, err)`
`44`	`44`	`}`
`45`	`45`
`@@ -91,7 +91,7 @@ func Load() (*Config, error) {`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`// Create data directory if it doesn't exist`
`94`		`- if err := os.MkdirAll(cfg.DataDir, 0755); err != nil {`
	`94`	`+ if err := os.MkdirAll(cfg.DataDir, 0700); err != nil {`
`95`	`95`	`return nil, fmt.Errorf("failed to create data directory %s: %w", cfg.DataDir, err)`
`96`	`96`	`}`
`97`	`97`
`@@ -124,7 +124,7 @@ func Load() (*Config, error) {`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`// Create data directory if it doesn't exist`
`127`		`- if err := os.MkdirAll(cfg.DataDir, 0755); err != nil {`
	`127`	`+ if err := os.MkdirAll(cfg.DataDir, 0700); err != nil {`
`128`	`128`	`return nil, fmt.Errorf("failed to create data directory %s: %w", cfg.DataDir, err)`
`129`	`129`	`}`
`130`	`130`
`@@ -350,7 +350,7 @@ func SaveConfig(cfg *Config, path string) error {`
`350`	`350`
`351`	`351`	`// Ensure directory exists`
`352`	`352`	`dir := filepath.Dir(path)`
`353`		`- if err := os.MkdirAll(dir, 0755); err != nil {`
	`353`	`+ if err := os.MkdirAll(dir, 0700); err != nil {`
`354`	`354`	`fmt.Printf("[DEBUG] SaveConfig - MkdirAll failed: %v\n", err)`
`355`	`355`	`return fmt.Errorf("failed to create config directory: %w", err)`
`356`	`356`	`}`