netrc file generated by `fh login` is world-readable

[antoineco]

fh 0.1.16

As indicated in the title, the netrc file created by fh login is readable by everyone by default:

$ fh login
Log in to FlakeHub: https://flakehub.com/token/create?description=FlakeHub+CLI+on+myhost
And then follow the prompts below:

\> Paste your token here: ********
Logged in: true
GitHub user name: antoineco
Token expires at: 2024-12-13 12:16:00 +00:00

$ ls -l /nix/var/determinate/
total 12
srw-rw-rw- 1 root root    0 Sep 14 12:27 determinate-nixd.socket
-rw-r--r-- 1 root root  149 Sep 14 12:37 identity.json
prwx------ 1 root root    0 Sep 14 12:27 intake.pipe
-rw-r--r-- 1 root root 3463 Sep 14 12:37 netrc
-r-xr--r-- 1 root root  341 Sep 14 12:27 post-build-hook.sh

$ id
uid=1000(acotten) gid=100(users) groups=100(users),1(wheel)

$ cat /nix/var/determinate/netrc
machine flakehub.com login flakehub password ...
machine api.flakehub.com login flakehub password ...
machine cache.flakehub.com login flakehub password ...

Note that if the file is created manually with the permissions -rw-r-----, fh resets those permissions.

The Nix daemon was installed and configured by https://flakehub.com/flake/DeterminateSystems/determinate.