From b6870de7f84880a12e0ba50398919e90e299afaa Mon Sep 17 00:00:00 2001 From: Steve Yegge Date: Sun, 23 Nov 2025 20:11:45 -0800 Subject: [PATCH] Fix: Change file permissions from 0644 to 0600 for security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The gosec linter (G302) requires file permissions to be 0600 or less for security. Updated atomicWriteFile to use 0600 (owner read/write only) instead of 0644 (world readable). This affects config files written by bd setup commands (cursor, aider, claude), making them only accessible by the owner. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- cmd/bd/setup/utils.go | 4 ++-- cmd/bd/setup/utils_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/bd/setup/utils.go b/cmd/bd/setup/utils.go index 87c18c47..788a051f 100644 --- a/cmd/bd/setup/utils.go +++ b/cmd/bd/setup/utils.go @@ -31,8 +31,8 @@ func atomicWriteFile(path string, data []byte) error { return fmt.Errorf("close temp file: %w", err) } - // Set permissions to 0644 - if err := os.Chmod(tmpPath, 0644); err != nil { + // Set permissions to 0600 (owner read/write only) + if err := os.Chmod(tmpPath, 0600); err != nil { _ = os.Remove(tmpPath) // Best effort cleanup return fmt.Errorf("set permissions: %w", err) } diff --git a/cmd/bd/setup/utils_test.go b/cmd/bd/setup/utils_test.go index 345fb012..e5569584 100644 --- a/cmd/bd/setup/utils_test.go +++ b/cmd/bd/setup/utils_test.go @@ -35,8 +35,8 @@ func TestAtomicWriteFile(t *testing.T) { } mode := info.Mode() - if mode.Perm() != 0644 { - t.Errorf("file permissions mismatch: got %o, want %o", mode.Perm(), 0644) + if mode.Perm() != 0600 { + t.Errorf("file permissions mismatch: got %o, want %o", mode.Perm(), 0600) } // Test overwriting existing file