yadm-perms

Change file permissions

$ yadm perms

yadm perms [-f | --fix] [-n | --dry-run] [-v | --verbose] [-q | --quiet] [-L | --no-log-perms] [path...]

-f, --fix
    Automatically fix identified insecure file permissions to more secure defaults.

-n, --dry-run
    Perform a dry run. Show what permissions would be changed without actually modifying any files.

-v, --verbose
    Increase verbosity. Display information about files that already have correct permissions, in addition to those with issues.

-q, --quiet
    Suppress output for files with correct permissions, only showing files that require attention or changes.

-L, --no-log-perms
    When used with --fix, prevents yadm from logging permission changes to its internal Git repository. This is primarily for advanced use cases where permission changes should not trigger Git tracking updates.

path...
    Optional: Specify one or more specific paths to check or fix. If omitted, yadm-perms will apply to all files managed by yadm in the current repository.

The yadm-perms command, typically invoked as yadm perms, is an essential utility for Yadm, the Yet Another Dotfiles Manager. Its primary purpose is to inspect, report on, and optionally correct the file permissions of dotfiles managed by yadm.

This command is crucial for maintaining the security of sensitive configuration files, such as SSH keys, GnuPG files, or Git configurations, which often contain private information. It helps ensure that these files do not have overly permissive access rights (e.g., world-readable or world-writable) that could compromise system security.

yadm-perms identifies files with permissions that are considered 'too open' based on yadm's security defaults. It provides options to perform a dry run to see proposed changes or to automatically fix the permissions to more secure levels, typically 0600 (read/write only by owner) or 0644 (read/write by owner, read-only by group and others). By automating permission checks and fixes, yadm-perms streamlines the process of keeping your dotfiles secure across various systems.

The yadm-perms command operates on files managed by yadm and requires yadm to be properly installed and initialized. While generally safe, using the --fix option should be done with caution, especially for files where non-standard permissions might be intentionally set. yadm's default security assumptions might not always align with highly specific use cases, in which case custom permission overrides should be configured within yadm.

It primarily addresses file permissions and does not manage permissions for directories themselves.

By default, yadm-perms considers permissions insecure if they allow write access to group or others (e.g., anything more permissive than 0644 for regular files or 0755 for executable files, or specific stricter rules like 0600 for very sensitive files like SSH keys). This logic is built into yadm to align with common security best practices for configuration files.

For specific files where yadm's default permission expectations do not align with your needs (e.g., a file truly needs world-read access), you can instruct yadm to expect a different mode. This is done via yadm config local.perms. (e.g., yadm config local.perms.~/.config/myapp/config 0664). This allows you to bypass warnings or automatic fixes for those specific files without compromising the security checks on others.

The perms command was developed as an integral part of the yadm project, created by Mike McQuaid. Its inclusion reflects yadm's emphasis on providing not just a robust dotfile management solution but also one that prioritizes security. As dotfiles frequently contain sensitive personal and system configurations, the ability to easily check and enforce secure permissions was deemed a critical feature from early in yadm's development. It addresses a common oversight in manual dotfile management: ensuring appropriate file access rights to prevent unauthorized information disclosure.

yadm(1), chmod(1), git(1)