#17896: fix(config): warn instead of silently swallowing chmod failure on config write
stale
size: XL
Cluster:
Config File Security Enhancements
## Summary
Change silent `catch {}` to `deps.logger.warn()` when `chmod 0o600` fails on config file write, making permission issues visible for debugging.
**Issue:** #17440
## Change Type
- [x] Bug fix (non-breaking change which fixes an issue)
## Scope
- **Files changed:** `src/config/io.ts`
- **Risk:** Very low — only adds a warning log, no behavior change
## Security Impact
- Improves security visibility — failed permission restrictions are now logged
## Steps to Reproduce
1. Config file is written on a filesystem that doesn't support chmod (e.g., some Docker volumes, Windows via WSL)
2. **Before fix:** chmod failure silently swallowed — no indication permissions weren't set
3. **After fix:** Warning logged with error details
## Evidence
- `pnpm build` ✅
- `pnpm check` (lint+format) ✅
- Targeted tests: 410 tests passed (47 files, config, IO) on Windows host ✅
- Full baseline: 542 tests passed ✅
## Human Verification
- [x] Code reviewed by human contributor
## Compatibility
- Fully backward compatible — only changes logging behavior
- No config changes, no API changes
## Failure & Recovery
- N/A — this IS the failure recovery improvement
## Risks
- None — purely observational change
---
🤖 AI-assisted (Opus 4.6 implementation, reviewed by Opus 4.6 + GPT 5.3 Codex with thinking high)
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Replaces silent error swallowing with a warning log when `chmod 0o600` fails during config file write, improving security visibility by making permission failures observable.
- Improved observability: chmod failures now logged with error details
- Minor style inconsistency: uses optional chaining where `deps.logger` is guaranteed to exist
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk
- The change only adds observability by logging a warning when chmod fails - no behavioral changes, no new error paths introduced. The minor style inconsistency (unnecessary optional chaining) doesn't affect functionality.
- No files require special attention
<sub>Last reviewed commit: 1e7998f</sub>
<!-- greptile_other_comments_section -->
<sub>(5/5) You can turn off certain types of comments like style [here](https://app.greptile.com/review/github)!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#17463: fix: write config files with explicit 0o600 mode instead of post-wr...
by miclaldogan · 2026-02-15
86.0%
#18924: fix(security): tighten permissions on cron/, browser/, settings/ dirs…
by rexlunae · 2026-02-17
74.7%
#12048: fix: deduplicate config warnings to log once instead of on every re...
by mcaxtr · 2026-02-08
74.6%
#6257: Fix: Create sensitive directories with mode 0o700
by sloppy-claw · 2026-02-01
73.9%
#11439: fix(security): warn on relative OPENCLAW_CONFIG_PATH and disable co...
by coygeek · 2026-02-07
73.6%
#19129: fix(config): block destructive config writes instead of only loggin...
by pierreeurope · 2026-02-17
73.5%
#18939: fix: tighten permissions on cron/, browser/, settings/, logs/ in do...
by sriram369 · 2026-02-17
73.2%
#18954: fix(security): secure cron, browser, settings dirs in doctor --fix
by BinHPdev · 2026-02-17
73.2%
#19632: fix: suppressToolErrors now suppresses exec tool failure notifications
by Gitjay11 · 2026-02-18
72.9%
#5649: fix(security): harden file permissions and header merging
by sfo2001 · 2026-01-31
72.8%