only set file rights if requested

src/ahriman/application/ahriman.py

@@ -357,6 +357,7 @@ def _set_user_parser(root: SubParserAction) -> argparse.ArgumentParser:
     parser.add_argument("--no-reload", help="do not reload authentication module", action="store_true")
     parser.add_argument("-p", "--password", help="user password")
     parser.add_argument("-r", "--remove", help="remove user from configuration", action="store_true")
+    parser.add_argument("--secure", help="set file permissions to user-only", action="store_true")
     parser.set_defaults(handler=handlers.User, architecture=[""], lock=None, no_log=True, no_report=True, unsafe=True)
     return parser
 

src/ahriman/application/handlers/user.py

@@ -52,7 +52,7 @@ class User(Handler):
         User.clear_user(auth_configuration, user)
         if not args.remove:
             User.create_configuration(auth_configuration, user, salt, args.as_service)
-        User.write_configuration(auth_configuration)
+        User.write_configuration(auth_configuration, args.secure)
 
         if not args.no_reload:
             client = Application(architecture, configuration, no_report=False).repository.reporter
@@ -127,13 +127,15 @@ class User(Handler):
         return MUser.generate_password(salt_length)
 
     @staticmethod
-    def write_configuration(configuration: Configuration) -> None:
+    def write_configuration(configuration: Configuration, secure: bool) -> None:
         """
         write configuration file
         :param configuration: configuration instance
+        :param secure: if true then set file permissions to 0o600
         """
         if configuration.path is None:
             return  # should never happen actually
         with configuration.path.open("w") as ahriman_configuration:
             configuration.write(ahriman_configuration)
-        configuration.path.chmod(0o600)
+        if secure:
+            configuration.path.chmod(0o600)