Merge pull request #4223 from ProvableHQ/fix/file-permissions

[Fix] Allow 0400 permissions for key files

Author: vicsn

.cargo/audit.toml

@@ -13,4 +13,6 @@ ignore = [
   "RUSTSEC-2026-0002",
   # TODO remove once we migrate away from bincode, or it becomes maintained again.
   "RUSTSEC-2025-0141",
+  # TODO remove once termwiz/terminfo update to phf 0.13+, which drops the rand 0.8 dependency.
+  "RUSTSEC-2026-0097",
 ]

Cargo.lock

@@ -973,14 +973,20 @@ impl Start {
     }
 }
 
+/// Checks whether a file can only be read/written by the owner. It also allows more restrictive permissions, where only the owner can read it.
 fn check_permissions(path: &PathBuf) -> Result<(), snarkvm::prelude::Error> {
     #[cfg(target_family = "unix")]
     {
         use std::os::unix::fs::PermissionsExt;
         ensure!(path.exists(), "The file '{path:?}' does not exist");
         crate::check_parent_permissions(path)?;
+
         let permissions = path.metadata()?.permissions().mode();
-        ensure!(permissions & 0o777 == 0o600, "The file {path:?} must be readable only by the owner (0600)");
+        ensure!(
+            matches!(permissions & 0o777, 0o400 | 0o600),
+            "The file {} must be readable and writable only by the owner (0600)",
+            path.display()
+        );
     }
     Ok(())
 }

cli/src/commands/start.rs

@@ -34,14 +34,19 @@ use std::{
     path::Path,
 };
 
+/// Checks whether the parent directory of a file can only be read and modified by the owner.
 #[cfg(unix)]
 pub fn check_parent_permissions<T: AsRef<Path>>(path: T) -> Result<()> {
     use anyhow::{bail, ensure};
     use std::os::unix::fs::PermissionsExt;
 
     if let Some(parent) = path.as_ref().parent() {
         let permissions = parent.metadata()?.permissions().mode();
-        ensure!(permissions & 0o777 == 0o700, "The folder {parent:?} must be readable only by the owner (0700)");
+        ensure!(
+            permissions & 0o777 == 0o700,
+            "The folder {} must be readable and writeable only by the owner (0700)",
+            parent.display()
+        );
     } else {
         let path = path.as_ref();
         bail!("Parent does not exist for path={}", path.display());

cli/src/lib.rs

@@ -44,7 +44,16 @@ use anyhow::{Result, bail};
 use locktick::parking_lot::RwLock;
 #[cfg(not(feature = "locktick"))]
 use parking_lot::RwLock;
-use std::{cmp, collections::HashMap, fs, net::SocketAddr, path::{Path, PathBuf}, str::FromStr, sync::Arc, time::Duration};
+use std::{
+    cmp,
+    collections::HashMap,
+    fs,
+    net::SocketAddr,
+    path::{Path, PathBuf},
+    str::FromStr,
+    sync::Arc,
+    time::Duration,
+};
 use tokio::task;
 
 /// The number of blocks between automatic database checkpoints.
@@ -456,7 +465,10 @@ impl<N: Network> Node<N> {
 #[cfg(test)]
 mod tests {
     use super::existing_startup_checkpoint_height;
-    use std::{fs, time::{SystemTime, UNIX_EPOCH}};
+    use std::{
+        fs,
+        time::{SystemTime, UNIX_EPOCH},
+    };
 
     #[test]
     fn seeds_last_checkpoint_height_when_startup_checkpoint_directory_exists() {