valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more world-writable warning improvements (#6389)

Browse Source 
3 improvements:
1. show up to 3 actual paths that are world-writable
2. do the scan/warning for Read-Only mode too, because it also applies
there
3. remove the "Cancel" option since it doesn't always apply (like on
startup)
This commit is contained in:
iceweasel-oai
2025-11-08 11:35:43 -08:00
committed by GitHub
parent 5beb6167c8
commit a47181e471
5 changed files with 155 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
codex-rs/windows-sandbox-rs/src/audit.rs
View File

@@ -1,6 +1,5 @@
use crate::token::world_sid;
use crate::winutil::to_wide;
use anyhow::anyhow;
use anyhow::Result;
use std::collections::HashSet;
use std::ffi::c_void;
@@ -177,7 +176,7 @@ pub fn audit_everyone_writable(
cwd: &Path,
env: &std::collections::HashMap<String, String>,
logs_base_dir: Option<&Path>,
) -> Result<()> {
) -> Result<Vec<PathBuf>> {
let start = Instant::now();
let mut flagged: Vec<PathBuf> = Vec::new();
let mut seen: HashSet<String> = HashSet::new();
@@ -265,14 +264,7 @@ pub fn audit_everyone_writable(
),
logs_base_dir,
);
let mut list_err = String::new();
for p in flagged {
list_err.push_str(&format!("\n - {}", p.display()));
}
return Err(anyhow!(
"Refusing to run: found directories writable by Everyone: {}",
list_err
));
return Ok(flagged);
}
// Log success once if nothing flagged
crate::logging::log_note(
@@ -281,7 +273,7 @@ pub fn audit_everyone_writable(
),
logs_base_dir,
);
Ok(())
Ok(Vec::new())
}
// Fast mask-based check: does the DACL contain any ACCESS_ALLOWED ACE for
// Everyone that includes generic or specific write bits? Skips inherit-only

4
codex-rs/windows-sandbox-rs/src/lib.rs
View File

@@ -172,7 +172,7 @@ mod windows_impl {
cwd: &Path,
env_map: &HashMap<String, String>,
logs_base_dir: Option<&Path>,
) -> Result<()> {
) -> Result<Vec<PathBuf>> {
audit::audit_everyone_writable(cwd, env_map, logs_base_dir)
}
@@ -438,7 +438,7 @@ mod stub {
_cwd: &Path,
_env_map: &HashMap<String, String>,
_logs_base_dir: Option<&Path>,
) -> Result<()> {
) -> Result<Vec<std::path::PathBuf>> {
bail!("Windows sandbox is only available on Windows")
}