mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-18 04:41:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix: restrict .env file permissions to 0600

Browse source 
Set file mode 0600 on ~/.hermes/.env after creation in the installer and
after every write via memory_setup._write_env_vars(). This ensures only
the file owner can read/write API keys and tokens, matching standard
practice for credential files (.netrc, .aws/credentials, .ssh/config).

Fixes #25477
This commit is contained in:
vanthinh6886 2026-05-14 07:59:31 -07:00 committed by Teknium
parent f26098e22f
commit a952ca3ff6
2 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hermes_cli/memory_setup.py
View file

@ -379,6 +379,12 @@ def _write_env_vars(env_path: Path, env_writes: dict) -> None:
new_lines.append(f"{key}={val}")
env_path.write_text("\n".join(new_lines) + "\n", encoding="utf-8")
# Restrict permissions — .env holds API keys and tokens.
try:
import stat
env_path.chmod(stat.S_IRUSR | stat.S_IWUSR) # 0600
except OSError:
pass # Windows or read-only FS
# ---------------------------------------------------------------------------

4
scripts/install.sh
View file

@ -1426,6 +1426,10 @@ copy_config_templates() {
else
log_info "~/.hermes/.env already exists, keeping it"
fi
# Restrict .env permissions — this file holds API keys and tokens.
# 0600 ensures only the file owner can read/write, matching standard
# practice for credential files (.netrc, .aws/credentials, .ssh/config).
chmod 600 "$HERMES_HOME/.env"
configure_browser_env_from_system_browser
# Create config.yaml at ~/.hermes/config.yaml (top level, easy to find)