Stricter permissions for Deno.makeTemp* (#4318)

1 files changed, 11 insertions, 9 deletions

diff --git a/cli/fs.rs b/cli/fs.rs
index 04aa15cf5..731a3971e 100644
--- a/cli/fs.rs
+++ b/cli/fs.rs
@@ -1,6 +1,6 @@
 // Copyright 2018-2020 the Deno authors. All rights reserved. MIT license.
 use std;
-use std::fs::{create_dir, DirBuilder, File, OpenOptions};
+use std::fs::{DirBuilder, File, OpenOptions};
 use std::io::ErrorKind;
 use std::io::Write;
 use std::path::{Component, Path, PathBuf};
@@ -11,7 +11,7 @@ use rand::Rng;
 use walkdir::WalkDir;
 
 #[cfg(unix)]
-use std::os::unix::fs::{DirBuilderExt, PermissionsExt};
+use std::os::unix::fs::{DirBuilderExt, OpenOptionsExt, PermissionsExt};
 
 #[cfg(unix)]
 use nix::unistd::{chown as unix_chown, Gid, Uid};
@@ -76,15 +76,17 @@ pub fn make_temp(
   loop {
     let unique = rng.gen::<u32>();
     buf.set_file_name(format!("{}{:08x}{}", prefix_, unique, suffix_));
-    // TODO: on posix, set mode flags to 0o700.
     let r = if is_dir {
-      create_dir(buf.as_path())
+      let mut builder = DirBuilder::new();
+      set_dir_permission(&mut builder, 0o700);
+      builder.create(buf.as_path())
     } else {
-      OpenOptions::new()
-        .write(true)
-        .create_new(true)
-        .open(buf.as_path())
-        .map(|_| ())
+      let mut open_options = OpenOptions::new();
+      open_options.write(true).create_new(true);
+      #[cfg(unix)]
+      open_options.mode(0o600);
+      open_options.open(buf.as_path())?;
+      Ok(())
     };
     match r {
       Err(ref e) if e.kind() == ErrorKind::AlreadyExists => continue,