🛡️ Sentinel: [MEDIUM] Fix insecure file permissions on lockfile

google-labs-jules[bot] · bitcoiner-dev · google-labs-jules[bot] · commit d03da8ad718b · 2026-03-28T13:09:15.000Z
🚨 Severity: MEDIUM
💡 Vulnerability: The `ProfileLock` struct creates lock files and their parent directories using default system permissions (`fs::create_dir_all` and `fs::OpenOptions::new()`), which could expose sensitive config paths or metadata on shared systems.
🎯 Impact: Local privilege escalation or info leakage of profile presence/metadata if executed on a shared multi-user machine.
🔧 Fix: Updated `ProfileLock::acquire` to use `crate::paths::create_secure_dir_all` (mode `0o700`) for the parent directory and explicitly set mode `0o600` for the lockfile itself via `OpenOptionsExt` on Unix platforms. Also cleaned up `cargo fmt` errors across codebase.
✅ Verification: `cargo test`, `cargo clippy`, and `cargo fmt` execute successfully. Check `.lock` file permissions after running the CLI.

Co-authored-by: bitcoiner-dev &lt;75873427+bitcoiner-dev@users.noreply.github.com&gt;
diff --git a/src/commands/account.rs b/src/commands/account.rs
@@ -1,8 +1,8 @@
 use crate::cli::{AccountAction, AccountArgs, Cli};
 use crate::error::AppError;
+use crate::output::CommandOutput;
 use crate::wallet_service::{now_unix, AccountState};
 use crate::{load_wallet_session, profile_path, read_profile, write_profile};
-use crate::output::CommandOutput;
 use zinc_core::Account;
 
 pub async fn run(cli: &Cli, args: &AccountArgs) -> Result<CommandOutput, AppError> {
diff --git a/src/commands/address.rs b/src/commands/address.rs
@@ -1,8 +1,8 @@
 use crate::cli::{AddressArgs, AddressKind, Cli};
 use crate::error::AppError;
+use crate::output::CommandOutput;
 use crate::wallet_service::map_wallet_error;
 use crate::{load_wallet_session, persist_wallet_session};
-use crate::output::CommandOutput;
 
 pub async fn run(cli: &Cli, args: &AddressArgs) -> Result<CommandOutput, AppError> {
     let mut session = load_wallet_session(cli)?;
diff --git a/src/commands/doctor.rs b/src/commands/doctor.rs
@@ -1,7 +1,7 @@
 use crate::cli::Cli;
 use crate::error::AppError;
-use crate::{profile_path, read_profile};
 use crate::output::CommandOutput;
+use crate::{profile_path, read_profile};
 use zinc_core::{OrdClient, ZincWallet};
 
 pub async fn run(cli: &Cli) -> Result<CommandOutput, AppError> {
diff --git a/src/commands/inscription.rs b/src/commands/inscription.rs
@@ -12,11 +12,7 @@ pub async fn run(cli: &Cli, _args: &InscriptionArgs) -> Result<CommandOutput, Ap
     let display_items = if !cli.thumb_enabled() {
         None
     } else {
-        Some(get_inscription_display_items(
-            &session.profile.ord_url,
-            &sorted_inscriptions,
-        )
-        .await)
+        Some(get_inscription_display_items(&session.profile.ord_url, &sorted_inscriptions).await)
     };
 
     Ok(CommandOutput::InscriptionList {
diff --git a/src/commands/lock.rs b/src/commands/lock.rs
@@ -1,8 +1,8 @@
 use crate::cli::{Cli, LockAction, LockArgs};
 use crate::error::AppError;
+use crate::output::CommandOutput;
 use crate::wallet_service::now_unix;
 use crate::{confirm, profile_lock_path, read_lock_metadata};
-use crate::output::CommandOutput;
 use std::fs;
 
 pub async fn run(cli: &Cli, args: &LockArgs) -> Result<CommandOutput, AppError> {
diff --git a/src/commands/mod.rs b/src/commands/mod.rs
@@ -12,6 +12,6 @@ pub mod setup;
 pub mod snapshot;
 pub mod sync;
 pub mod tx;
+pub mod version;
 pub mod wait;
 pub mod wallet;
-pub mod version;
diff --git a/src/commands/scenario.rs b/src/commands/scenario.rs
@@ -1,9 +1,9 @@
 use crate::cli::{Cli, ScenarioAction, ScenarioArgs};
 use crate::error::AppError;
+use crate::output::CommandOutput;
 use crate::utils::run_bitcoin_cli;
 use crate::wallet_service::NetworkArg;
 use crate::{confirm, load_wallet_session, persist_wallet_session, snapshot_dir};
-use crate::output::CommandOutput;
 use std::fs;
 
 pub async fn run(cli: &Cli, args: &ScenarioArgs) -> Result<CommandOutput, AppError> {
@@ -121,9 +121,7 @@ pub async fn run(cli: &Cli, args: &ScenarioArgs) -> Result<CommandOutput, AppErr
                 }
             }
 
-            CommandOutput::ScenarioReset {
-                removed,
-            }
+            CommandOutput::ScenarioReset { removed }
         }
     };
 
diff --git a/src/commands/wallet.rs b/src/commands/wallet.rs
@@ -79,7 +79,11 @@ pub async fn run(cli: &Cli, args: &WalletArgs) -> Result<CommandOutput, AppError
                 bitcoin_cli: default_bitcoin_cli(),
                 bitcoin_cli_args: default_bitcoin_cli_args().join(" "),
                 phrase,
-                words: if cli.reveal || !cli.agent { Some(wallet.words.len()) } else { None },
+                words: if cli.reveal || !cli.agent {
+                    Some(wallet.words.len())
+                } else {
+                    None
+                },
             })
         }
         WalletAction::Import {
@@ -133,7 +137,11 @@ pub async fn run(cli: &Cli, args: &WalletArgs) -> Result<CommandOutput, AppError
                 scheme: scheme_arg.to_string(),
                 account_index: 0,
                 imported: true,
-                phrase: if cli.reveal || !cli.agent { Some(mnemonic.to_string()) } else { None },
+                phrase: if cli.reveal || !cli.agent {
+                    Some(mnemonic.to_string())
+                } else {
+                    None
+                },
             })
         }
         WalletAction::Info => {
diff --git a/src/dashboard.rs b/src/dashboard.rs
@@ -175,12 +175,7 @@ fn activate_session(
     state.network = Some(resolved_network.value);
     state.profile_name = Some(resolved_profile);
 
-    state.ordinals_address = Some(
-        session
-            .wallet
-            .peek_taproot_address(0)
-            .to_string(),
-    );
+    state.ordinals_address = Some(session.wallet.peek_taproot_address(0).to_string());
     state.payment_address = session
         .wallet
         .peek_payment_address(0)
diff --git a/src/lock.rs b/src/lock.rs
@@ -22,14 +22,21 @@ impl ProfileLock {
         let lock_path = profile_path.with_extension("lock");
 
         if let Some(parent) = lock_path.parent() {
-            fs::create_dir_all(parent).map_err(|e| {
+            crate::paths::create_secure_dir_all(parent).map_err(|e| {
                 crate::error::AppError::Config(format!("failed to create lock dir: {e}"))
             })?;
         }
 
-        let file = fs::OpenOptions::new()
-            .write(true)
-            .create_new(true)
+        let mut options = fs::OpenOptions::new();
+        options.write(true).create_new(true);
+
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::OpenOptionsExt;
+            options.mode(0o600);
+        }
+
+        let file = options
             .open(&lock_path)
             .map_err(|_| AppError::Config("profile is locked by another instance".to_string()))?;
 
diff --git a/src/paths.rs b/src/paths.rs
@@ -25,8 +25,8 @@ pub fn write_secure_file<P: AsRef<Path>>(path: P, contents: &[u8]) -> std::io::R
     let path = path.as_ref();
     #[cfg(unix)]
     {
-        use std::os::unix::fs::OpenOptionsExt;
         use std::io::Write;
+        use std::os::unix::fs::OpenOptionsExt;
         let mut options = fs::OpenOptions::new();
         options.write(true).create(true).truncate(true).mode(0o600);
         let mut file = options.open(path)?;
diff --git a/src/presenter/grid.rs b/src/presenter/grid.rs
@@ -73,11 +73,7 @@ pub fn render_grid(cards: &[GridCard], max_cols: usize, gutter: usize) -> String
 
         for line_idx in 0..max_height {
             for (card_idx, card) in row_cards.iter().enumerate() {
-                let line = card
-                    .lines
-                    .get(line_idx)
-                    .map(|s| s.as_str())
-                    .unwrap_or("");
+                let line = card.lines.get(line_idx).map(|s| s.as_str()).unwrap_or("");
 
                 // Pad every card to cell_width so columns stay aligned.
                 out.push_str(&pad_to_visible(line, cell_width));
@@ -119,9 +115,15 @@ mod tests {
     #[test]
     fn grid_arranges_cards_side_by_side() {
         let cards = vec![
-            GridCard { lines: vec!["AAAA".into(), "AAAA".into()] },
-            GridCard { lines: vec!["BBBB".into(), "BBBB".into()] },
-            GridCard { lines: vec!["CCCC".into()] }, // shorter card
+            GridCard {
+                lines: vec!["AAAA".into(), "AAAA".into()],
+            },
+            GridCard {
+                lines: vec!["BBBB".into(), "BBBB".into()],
+            },
+            GridCard {
+                lines: vec!["CCCC".into()],
+            }, // shorter card
         ];
         let output = render_grid(&cards, 20, 2);
         // With cell_width=4, gutter=2, cols_per_row = (20+2)/(4+2) = 3
@@ -138,9 +140,15 @@ mod tests {
     #[test]
     fn grid_wraps_to_multiple_rows() {
         let cards = vec![
-            GridCard { lines: vec!["AAAA".into()] },
-            GridCard { lines: vec!["BBBB".into()] },
-            GridCard { lines: vec!["CCCC".into()] },
+            GridCard {
+                lines: vec!["AAAA".into()],
+            },
+            GridCard {
+                lines: vec!["BBBB".into()],
+            },
+            GridCard {
+                lines: vec!["CCCC".into()],
+            },
         ];
         // max_cols=10, gutter=2 → cell_width=4, cols_per_row = (10+2)/(4+2) = 2
         let output = render_grid(&cards, 10, 2);

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,9 @@`
`1`	`1`	`use crate::cli::{Cli, ScenarioAction, ScenarioArgs};`
`2`	`2`	`use crate::error::AppError;`
	`3`	`+use crate::output::CommandOutput;`
`3`	`4`	`use crate::utils::run_bitcoin_cli;`
`4`	`5`	`use crate::wallet_service::NetworkArg;`
`5`	`6`	`use crate::{confirm, load_wallet_session, persist_wallet_session, snapshot_dir};`
`6`		`-use crate::output::CommandOutput;`
`7`	`7`	`use std::fs;`
`8`	`8`
`9`	`9`	`pub async fn run(cli: &Cli, args: &ScenarioArgs) -> Result<CommandOutput, AppError> {`
`@@ -121,9 +121,7 @@ pub async fn run(cli: &Cli, args: &ScenarioArgs) -> Result<CommandOutput, AppErr`
`121`	`121`	`}`
`122`	`122`	`}`
`123`	`123`
`124`		`- CommandOutput::ScenarioReset {`
`125`		`- removed,`
`126`		`- }`
	`124`	`+ CommandOutput::ScenarioReset { removed }`
`127`	`125`	`}`
`128`	`126`	`};`
`129`	`127`