ensure data directories have appropriate permissions

j-chmielewski · j-chmielewski · commit ab9616193d13 · 2025-09-19T09:49:10.000+02:00
diff --git a/src-tauri/cli/src/bin/dg.rs b/src-tauri/cli/src/bin/dg.rs
@@ -2,7 +2,7 @@
 use std::os::unix::fs::PermissionsExt;
 use std::{
     fmt,
-    fs::{create_dir, OpenOptions},
+    fs::{create_dir, set_permissions, OpenOptions, Permissions},
     net::IpAddr,
     path::{Path, PathBuf},
     str::FromStr,
@@ -619,6 +619,14 @@ async fn main() {
     };
     debug!("The following configuration will be used: {config_path:?}");
 
+    // Ensure data directory has appropriate permissions (dg25-28)
+    if let Err(err) = set_permissions(&config_path, Permissions::from_mode(0o700)) {
+        warn!(
+            "Failed to set permissions on data directory {}: {err}",
+            config_path.display()
+        );
+    }
+
     if let Some(("enroll", submatches)) = matches.subcommand() {
         debug!("Enrollment command has been selected, starting enrollment.");
         let token = submatches
diff --git a/src-tauri/src/bin/defguard-client.rs b/src-tauri/src/bin/defguard-client.rs
@@ -3,7 +3,13 @@
 // Prevents additional console window on Windows in release, DO NOT REMOVE!!
 #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
 
-use std::{env, str::FromStr, sync::LazyLock};
+use std::{
+    env,
+    fs::{set_permissions, Permissions},
+    os::unix::fs::PermissionsExt,
+    str::FromStr,
+    sync::LazyLock,
+};
 
 #[cfg(target_os = "windows")]
 use defguard_client::utils::sync_connections;
@@ -277,15 +283,22 @@ fn main() {
     app.run(|app_handle, event| match event {
         // Startup tasks
         RunEvent::Ready => {
+            // Ensure data directory has appropriate permissions (dg25-28)
+            let data_dir = app_handle
+                    .path()
+                    .app_data_dir()
+                    .unwrap_or_else(|_| "UNDEFINED DATA DIRECTORY".into());
+            if let Err(err) = set_permissions(&data_dir, Permissions::from_mode(0o700)) {
+                warn!(
+                    "Failed to set permissions on data directory {}: {err}",
+                    data_dir.display()
+                );
+            }
             info!(
                 "Application data (database file) will be stored in: {} and application logs in: {}. \
                 Logs of the background Defguard service responsible for managing VPN connections at the \
                 network level will be stored in: {}.",
-                // display the path to the app data directory, convert option<pathbuf> to option<&str>
-                app_handle
-                    .path()
-                    .app_data_dir()
-                    .unwrap_or_else(|_| "UNDEFINED DATA DIRECTORY".into()).display(),
+                data_dir.display(),
                 app_handle
                     .path()
                     .app_log_dir()
