From be900213300254d384fd55a77a782a7cfe8f346c Mon Sep 17 00:00:00 2001
From: Henrik Lissner <git@henrik.io>
Date: Tue, 5 Dec 2023 17:12:40 -0500
Subject: [PATCH] fix(cli): ensure local file/dir permissions

May catch edge cases where profile directories are created with
over-restrictive permissions (mentioned in #5832).

Ref: #5832
---
 lisp/doom-cli.el | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/lisp/doom-cli.el b/lisp/doom-cli.el
index 64072373e..674e07e94 100644
--- a/lisp/doom-cli.el
+++ b/lisp/doom-cli.el
@@ -1050,9 +1050,9 @@ considered as well."
               "\n")))
       (print! (warn "Wrote extended straight log to %s")
               (path (let ((coding-system-for-write 'utf-8-auto))
-                      (with-temp-file error-file
-                        (insert-buffer-substring (straight--process-buffer)))
-                      (set-file-modes error-file #o600)
+                      (with-file-modes #o600
+                        (with-temp-file error-file
+                          (insert-buffer-substring (straight--process-buffer))))
                       error-file))))
      ((eq type 'error)
       (let* ((generic? (eq (car data) 'error))
@@ -1123,11 +1123,12 @@ See `doom-cli-log-file-format' for details."
     (let* ((buffer (doom-cli-context-stderr context))
            (file (doom-cli--output-file "log" context)))
       (when (> (buffer-size buffer) 0)
-        (make-directory (file-name-directory file) t)
-        (with-temp-file file
-          (insert-buffer-substring buffer)
-          (ansi-color-filter-region (point-min) (point-max)))
-        (set-file-modes file #o600)))))
+        (with-file-modes #o700
+          (make-directory (file-name-directory file) t))
+        (with-file-modes #o600
+          (with-temp-file file
+            (insert-buffer-substring buffer)
+            (ansi-color-filter-region (point-min) (point-max))))))))
 
 (defun doom-cli--output-benchmark-h (context)
   "Write this session's benchmark to stdout or stderr, depending.
@@ -1351,10 +1352,11 @@ ARGS are options passed to less. If DOOMPAGER is set, ARGS are ignored."
 
           ((let ((tmpfile (doom-cli--output-file 'output context))
                  (coding-system-for-write 'utf-8-auto))
-             (make-directory (file-name-directory tmpfile) t)
-             (with-temp-file tmpfile
-               (insert-buffer-substring (doom-cli-context-stdout context)))
-             (set-file-modes tmpfile #o600)
+             (with-file-modes #o700
+               (make-directory (file-name-directory tmpfile) t))
+             (with-file-modes #o600
+               (with-temp-file tmpfile
+                 (insert-buffer-substring (doom-cli-context-stdout context))))
              (doom-cli--restart
               (format "%s <%s; rm -f%s %s"
                       (or pager