Restrict file permissions for sensitive health data

jcrussell · claude · jcrussell · commit 5e959bfdfd27 · 2025-12-26T17:02:06.000-08:00
Tighten file permissions on output files and geocoding cache to prevent world-readable access to sensitive health information: - Output directory: 0755 → 0700 (owner-only access) - Output HTML files: implicit → 0600 (owner-only read/write) - Geocoding cache directory: 0755 → 0700 (owner-only access) - Geocoding cache file: 0644 → 0600 (owner-only read/write) These changes ensure that HTML dashboards containing medical records and cached geocoded facility addresses are only accessible by the file owner. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/pkg/cmd/generate/generate.go b/pkg/cmd/generate/generate.go
@@ -149,7 +149,7 @@ func runGenerate(opts *GenerateOptions) error {
 	}
 
 	// 4. Generate Output
-	if err := os.MkdirAll(opts.OutputDir, 0755); err != nil {
+	if err := os.MkdirAll(opts.OutputDir, 0700); err != nil {
 		return err
 	}
 
@@ -206,7 +206,12 @@ func runGenerate(opts *GenerateOptions) error {
 
 		// Wrap in closure to ensure proper defer scoping in loop
 		if err := func() error {
-			f, err := os.Create(filepath.Join(opts.OutputDir, filename))
+			// Create HTML file with owner-only permissions (sensitive health data)
+			f, err := os.OpenFile(
+				filepath.Join(opts.OutputDir, filename),
+				os.O_WRONLY|os.O_CREATE|os.O_TRUNC,
+				0600,
+			)
 			if err != nil {
 				return err
 			}
diff --git a/pkg/geocode/geocode.go b/pkg/geocode/geocode.go
@@ -186,7 +186,7 @@ func (g *NominatimGeocoder) SaveCache() error {
 
 	// Ensure cache directory exists
 	cacheDir := filepath.Dir(g.cachePath)
-	if err := os.MkdirAll(cacheDir, 0755); err != nil {
+	if err := os.MkdirAll(cacheDir, 0700); err != nil {
 		return fmt.Errorf("failed to create cache directory: %w", err)
 	}
 
@@ -220,7 +220,7 @@ func (g *NominatimGeocoder) SaveCache() error {
 
 	// Atomic write: write to temp file, then rename
 	tempPath := g.cachePath + ".tmp"
-	if err := os.WriteFile(tempPath, data, 0644); err != nil {
+	if err := os.WriteFile(tempPath, data, 0600); err != nil {
 		return fmt.Errorf("failed to write temp cache file: %w", err)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -149,7 +149,7 @@ func runGenerate(opts *GenerateOptions) error {`
`149`	`149`	`}`
`150`	`150`
`151`	`151`	`// 4. Generate Output`
`152`		`- if err := os.MkdirAll(opts.OutputDir, 0755); err != nil {`
	`152`	`+ if err := os.MkdirAll(opts.OutputDir, 0700); err != nil {`
`153`	`153`	`return err`
`154`	`154`	`}`
`155`	`155`
`@@ -206,7 +206,12 @@ func runGenerate(opts *GenerateOptions) error {`
`206`	`206`
`207`	`207`	`// Wrap in closure to ensure proper defer scoping in loop`
`208`	`208`	`if err := func() error {`
`209`		`- f, err := os.Create(filepath.Join(opts.OutputDir, filename))`
	`209`	`+ // Create HTML file with owner-only permissions (sensitive health data)`
	`210`	`+ f, err := os.OpenFile(`
	`211`	`+ filepath.Join(opts.OutputDir, filename),`
	`212`	`+ os.O_WRONLY\|os.O_CREATE\|os.O_TRUNC,`
	`213`	`+ 0600,`
	`214`	`+ )`
`210`	`215`	`if err != nil {`
`211`	`216`	`return err`
`212`	`217`	`}`
Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,7 @@ func (g *NominatimGeocoder) SaveCache() error {`
`186`	`186`
`187`	`187`	`// Ensure cache directory exists`
`188`	`188`	`cacheDir := filepath.Dir(g.cachePath)`
`189`		`- if err := os.MkdirAll(cacheDir, 0755); err != nil {`
	`189`	`+ if err := os.MkdirAll(cacheDir, 0700); err != nil {`
`190`	`190`	`return fmt.Errorf("failed to create cache directory: %w", err)`
`191`	`191`	`}`
`192`	`192`
`@@ -220,7 +220,7 @@ func (g *NominatimGeocoder) SaveCache() error {`
`220`	`220`
`221`	`221`	`// Atomic write: write to temp file, then rename`
`222`	`222`	`tempPath := g.cachePath + ".tmp"`
`223`		`- if err := os.WriteFile(tempPath, data, 0644); err != nil {`
	`223`	`+ if err := os.WriteFile(tempPath, data, 0600); err != nil {`
`224`	`224`	`return fmt.Errorf("failed to write temp cache file: %w", err)`
`225`	`225`	`}`
`226`	`226`