From 24b26f42e81c10f19addbc3ecafb96752b5c6036 Mon Sep 17 00:00:00 2001
From: Ven0m0 <82972344+Ven0m0@users.noreply.github.com>
Date: Mon, 16 Mar 2026 22:22:45 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20[security]=20fix=20overly=20perm?=
 =?UTF-8?q?issive=20log=20file=20permissions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mitigate security risk by restricting log file permissions from world-writable (666) to owner-writable (644). Additionally, hardened the fallback logging mechanism by replacing predictable temporary file paths with secure `mktemp` calls and updated test idioms to follow repository standards.

🎯 What: The vulnerability fixed
⚠️ Risk: World-writable log files allow any local user to tamper with or delete audit trails. Predictable temporary files are susceptible to symlink attacks.
🛡️ Solution: Restricted permissions to 644 and utilized `mktemp` for secure temporary file creation.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
---
 Cachyos/Scripts/packages.sh | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/Cachyos/Scripts/packages.sh b/Cachyos/Scripts/packages.sh
index 962d1d89..90410df3 100644
--- a/Cachyos/Scripts/packages.sh
+++ b/Cachyos/Scripts/packages.sh
@@ -31,15 +31,14 @@ print_warning() {
 
 # Ensure log file is writable
 ensure_log_file() {
-  if [ ! -f "$LOG_FILE" ]; then
+  if [[ ! -f "$LOG_FILE" ]]; then
     sudo touch "$LOG_FILE" 2>/dev/null || touch "$LOG_FILE" 2>/dev/null
   fi
-  sudo chmod 666 "$LOG_FILE" 2>/dev/null || chmod 666 "$LOG_FILE" 2>/dev/null
+  sudo chmod 644 "$LOG_FILE" 2>/dev/null || chmod 644 "$LOG_FILE" 2>/dev/null
 
-  if [ ! -w "$LOG_FILE" ]; then
+  if [[ ! -w "$LOG_FILE" ]]; then
     echo "Warning: Cannot write to log file at $LOG_FILE, using temporary log"
-    LOG_FILE="/tmp/pkg-install-$(date +%s).log"
-    touch "$LOG_FILE"
+    LOG_FILE=$(mktemp /tmp/pkg-install-XXXXXX.log)
   fi
 }