I am trying to add aerc to home-manager. When home-manager generates the aerc config, it places a read-only symlink pointing to a world-readable
accounts.conf file in the nix store. However, with this method, I cannot run aerc as it returns with an error and the following message:
The file /home/xxx/.config/aerc/accounts.conf has too open permissions. This is a security issue (it contains passwords). To fix it, run `chmod 600 /home/xxx/.config/aerc/accounts.conf` Failed to load config: account.conf permissions too lax
I cannot simply chmod it to the required permissions since the filesystem containing the
accounts.conf file is read-only. I can also guarantee that there are no secrets in the generated
accounts.conf file, since home-manager only adds a
outgoing-cred-cmd to the file.
What is the best way forward? In cases like this where the user can guarantee that there are no secrets in
accounts.conf, the security error shouldn't block the user from running
aerc. Instead, if it was a warning (and especially one that can be disabled somehow), that would be useful for users on other platforms.
Tl;Dr: Send a patch that changes it to a warning unless there's a password in the file. Keep in mind that to parse that not only must we look for the password in the individual connections strings for all workers as those may include passwords after the colon, but also ensure that the error triggers if any of oauth bearer stuff is used as those token grant you full access to the mail account