fix(perm): set umask 077 (#1554)

This ensures no other user can read shell history data

Resolves #1250

Cargo.lock

@@ -191,6 +191,7 @@ dependencies = [
  "ratatui",
  "rpassword",
  "runtime-format",
+ "rustix",
  "semver",
  "serde",
  "serde_json",

Cargo.toml

@@ -44,6 +44,7 @@ whoami = "1.1.2"
 typed-builder = "0.18.0"
 pretty_assertions = "1.3.0"
 thiserror = "1.0"
+rustix = {version = "0.38.28", features=["process", "fs"]}
 
 [workspace.dependencies.reqwest]
 version = "0.11"

atuin/Cargo.toml

@@ -65,6 +65,7 @@ fs-err = { workspace = true }
 whoami = { workspace = true }
 rpassword = "7.0"
 semver = { workspace = true }
+rustix = { workspace = true }
 runtime-format = "0.1.3"
 tiny-bip39 = "1"
 futures-util = "0.3"

atuin/src/command/mod.rs

@@ -2,6 +2,8 @@ use clap::{CommandFactory, Subcommand};
 use clap_complete::{generate, generate_to, Shell};
 use eyre::Result;
 
+use rustix::{fs::Mode, process::umask};
+
 #[cfg(feature = "client")]
 mod client;
 
@@ -46,6 +48,11 @@ pub enum AtuinCmd {
 
 impl AtuinCmd {
     pub fn run(self) -> Result<()> {
+        // set umask before we potentially open/create files
+        // or in other words, 077. Do not allow any access to any other user
+        let mode = Mode::RWXG | Mode::RWXO;
+        umask(mode);
+
         match self {
             #[cfg(feature = "client")]
             Self::Client(client) => client.run(),