APEX/BrowserUse_and_ComputerUse_skills
5
0
Fork 0
Code Issues 4 Pull requests 1 Projects 1 Releases Packages Wiki Activity Actions

fix: restrict .env file permissions to owner-only

Browse source 
save_env_value() writes API keys to ~/.hermes/.env but never sets file
permissions, leaving the file world-readable (0644). auth.py already
restricts auth.json to 0600 — apply the same treatment to .env.

Skipped on Windows where chmod is not effective.
This commit is contained in:
Himess 2026-03-06 15:14:26 +03:00
parent b89eb29174
commit 32dbd31b9a
No known key found for this signature in database
GPG key ID: 4F75A83557AF759B
1 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hermes_cli/config.py
View file

@ -14,8 +14,9 @@ This module provides:
import os import os
import platform import platform
import sys import stat
import subprocess import subprocess
import sys
from pathlib import Path from pathlib import Path
from typing import Dict, Any, Optional, List, Tuple from typing import Dict, Any, Optional, List, Tuple
@ -680,6 +681,13 @@ def save_env_value(key: str, value: str):
with open(env_path, 'w', **write_kw) as f: with open(env_path, 'w', **write_kw) as f:
f.writelines(lines) f.writelines(lines)
# Restrict .env permissions to owner-only (contains API keys)
if not _IS_WINDOWS:
try:
os.chmod(env_path, stat.S_IRUSR | stat.S_IWUSR)
except OSError:
pass
def get_env_value(key: str) -> Optional[str]: def get_env_value(key: str) -> Optional[str]:
"""Get a value from ~/.hermes/.env or environment.""" """Get a value from ~/.hermes/.env or environment."""