Problem

When you run cargo add, it changes the file permissions of Cargo.toml to 600 (user read+write only). This is a little bit painful when you're building the code as a different user than the user writing the code, for example if you're running the code in a container. This applies to cargo remove as well. I tested this behaviour on Cargo 1.78.0 and nightly.

Steps

$ mkdir cargo-add-test && cd cargo-add-test
$ cargo init
$ ls -l
-rw-rw-r-- 1 user user   85 May  9 23:09 Cargo.toml
drwxrwxr-x 2 user user 4096 May  9 23:09 src
$ cargo add libc
$ ls -l
-rw-rw-r-- 1 user user  376 May  9 23:09 Cargo.lock
-rw------- 1 user user  102 May  9 23:09 Cargo.toml
drwxrwxr-x 2 user user 4096 May  9 23:09 src
$ umask
0002

Possible Solution(s)

I'm guessing that Cargo replaces the existing file with a new file, and this is why the permissions change. In this case, I think it would be better to create the file with the original user/group/world permissions (ignoring things like suid permissions), ideally bypassing the umask as well.

Edit: It appears to use the tempfile crate, which uses 600 by default on Linux.

Notes

No response

Version

cargo 1.80.0-nightly (0ca60e940 2024-05-08)
release: 1.80.0-nightly
commit-hash: 0ca60e940821c311c9b25a6423b59ccdbcea218f
commit-date: 2024-05-08
host: x86_64-unknown-linux-gnu
libgit2: 1.7.2 (sys:0.18.3 vendored)
libcurl: 8.6.0-DEV (sys:0.4.72+curl-8.6.0 vendored ssl:OpenSSL/1.1.1w)
ssl: OpenSSL 1.1.1w  11 Sep 2023
os: Ubuntu 20.4.0 (focal) [64-bit]