fix: restrict .env file permissions to 0600

Set file mode 0600 on ~/.hermes/.env after creation in the installer and after every write via memory_setup._write_env_vars(). This ensures only the file owner can read/write API keys and tokens, matching standard practice for credential files (.netrc, .aws/credentials, .ssh/config). Fixes #25477
2026-05-14 07:59:31 -07:00
parent f26098e22f
commit a952ca3ff6
2 changed files with 10 additions and 0 deletions
--- a/hermes_cli/memory_setup.py
+++ b/hermes_cli/memory_setup.py
@@ -379,6 +379,12 @@ def _write_env_vars(env_path: Path, env_writes: dict) -> None:
            new_lines.append(f"{key}={val}")

    env_path.write_text("\n".join(new_lines) + "\n", encoding="utf-8")
+    # Restrict permissions — .env holds API keys and tokens.
+    try:
+        import stat
+        env_path.chmod(stat.S_IRUSR | stat.S_IWUSR)  # 0600
+    except OSError:
+        pass  # Windows or read-only FS


 # ---------------------------------------------------------------------------
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -1426,6 +1426,10 @@ copy_config_templates() {
    else
        log_info "~/.hermes/.env already exists, keeping it"
    fi
+    # Restrict .env permissions — this file holds API keys and tokens.
+    # 0600 ensures only the file owner can read/write, matching standard
+    # practice for credential files (.netrc, .aws/credentials, .ssh/config).
+    chmod 600 "$HERMES_HOME/.env"
    configure_browser_env_from_system_browser

    # Create config.yaml at ~/.hermes/config.yaml (top level, easy to find)