From ef521216f1042ad947ca2dd8eb02d847c16a9dd7 Mon Sep 17 00:00:00 2001
From: gus <gustavoraularagon@gmail.com>
Date: Sat, 4 Apr 2026 12:45:38 -0300
Subject: [PATCH 1/2] fix: restrict IPC socket directory permissions to
 owner-only

The queue socket directory at /tmp/acpx-<hash>/ and the queue base
directory at ~/.acpx/queues/ are created with mkdir without explicit
mode, inheriting the default umask (typically 0o755). This allows
other local users to list socket files and connect to them.

Set mode 0o700 on both directories so only the owning user can
access the IPC sockets.
---
 src/queue-lease-store.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/queue-lease-store.ts b/src/queue-lease-store.ts
index 05831e7f..59350e29 100644
--- a/src/queue-lease-store.ts
+++ b/src/queue-lease-store.ts
@@ -87,10 +87,10 @@ function isQueueOwnerHeartbeatStale(owner: QueueOwnerRecord): boolean {
 }
 
 async function ensureQueueDir(): Promise<void> {
-  await fs.mkdir(queueBaseDir(), { recursive: true });
+  await fs.mkdir(queueBaseDir(), { recursive: true, mode: 0o700 });
   const socketDir = queueSocketBaseDir();
   if (socketDir) {
-    await fs.mkdir(socketDir, { recursive: true });
+    await fs.mkdir(socketDir, { recursive: true, mode: 0o700 });
   }
 }
 

From ef1ef6f1f1a5a4f8202f15c4e8d6f9646c7d3d69 Mon Sep 17 00:00:00 2001
From: gus <gustavoraularagon@gmail.com>
Date: Sat, 4 Apr 2026 12:49:16 -0300
Subject: [PATCH 2/2] fix: add explicit chmod after mkdir for existing
 directories

mkdir with recursive: true does not change permissions on directories
that already exist. An explicit chmod ensures the correct mode is
applied even if the directory was previously created with a more
permissive umask.
---
 src/queue-lease-store.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/queue-lease-store.ts b/src/queue-lease-store.ts
index 59350e29..a06d3b66 100644
--- a/src/queue-lease-store.ts
+++ b/src/queue-lease-store.ts
@@ -87,10 +87,13 @@ function isQueueOwnerHeartbeatStale(owner: QueueOwnerRecord): boolean {
 }
 
 async function ensureQueueDir(): Promise<void> {
-  await fs.mkdir(queueBaseDir(), { recursive: true, mode: 0o700 });
+  const baseDir = queueBaseDir();
+  await fs.mkdir(baseDir, { recursive: true, mode: 0o700 });
+  await fs.chmod(baseDir, 0o700);
   const socketDir = queueSocketBaseDir();
   if (socketDir) {
     await fs.mkdir(socketDir, { recursive: true, mode: 0o700 });
+    await fs.chmod(socketDir, 0o700);
   }
 }