Skip to content

nohup: create nohup.out with mode 0600#12339

Open
c-tonneslan wants to merge 1 commit into
uutils:mainfrom
c-tonneslan:fix/nohup-private-out
Open

nohup: create nohup.out with mode 0600#12339
c-tonneslan wants to merge 1 commit into
uutils:mainfrom
c-tonneslan:fix/nohup-private-out

Conversation

@c-tonneslan
Copy link
Copy Markdown

@c-tonneslan c-tonneslan commented May 16, 2026

Closes #10021.

POSIX nohup creates the output file as owner-only so other local users can't read what the detached job logs. We were leaving the mode at the process umask, so on a host with the typical umask of 022 the file would land at 0644 and anyone could read it.

Pass .mode(0o600) on the OpenOptions. The mode only applies to newly-created files; if nohup.out already exists its permissions are left alone, which matches GNU.

Verified locally:

$ umask 022
$ ./target/debug/nohup sh -c 'echo secret'
nohup: ignoring input and appending output to 'nohup.out'
$ ls -l nohup.out
-rw-------  1 me  staff  7 May 16 19:52 nohup.out

@c-tonneslan
nohup: create nohup.out with mode 0600
429855a 
POSIX nohup creates the output file with permissions that block other
users from reading it. We were leaving the mode at the process umask
default, so on a typical system with umask 022 the file would land at
0644 and any other local user could read whatever the detached job
logged. That's not great on multi-user hosts.

Pass `.mode(0o600)` on the OpenOptions so newly-created `nohup.out`
files start out as owner-only. Existing files keep their current
permissions, which matches GNU.

Closes uutils#10021.

Signed-off-by: Charlie Tonneslan <cst0520@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

nohup creates world-readable output files

1 participant

@c-tonneslan