Set standard permissions for temporary files

crates/install-wheel-rs/src/wheel.rs

@@ -498,7 +498,7 @@ fn install_script(
             .as_bytes()
             .to_vec();
 
-        let mut target = tempfile::NamedTempFile::new_in(&layout.scheme.scripts)?;
+        let mut target = uv_fs::tempfile_in(&layout.scheme.scripts)?;
         let size_and_encoded_hash = copy_and_hash(&mut start.chain(script), &mut target)?;
         target.persist(&script_absolute).map_err(|err| {
             io::Error::new(

crates/uv-fs/src/lib.rs

@@ -101,10 +101,25 @@ pub fn replace_symlink(src: impl AsRef<Path>, dst: impl AsRef<Path>) -> std::io:
     }
 }
 
+/// Return a [`NamedTempFile`] in the specified directory.
+#[cfg(unix)]
+pub fn tempfile_in(path: &Path) -> std::io::Result<NamedTempFile> {
+    use std::os::unix::fs::PermissionsExt;
+    tempfile::Builder::new()
+        .permissions(std::fs::Permissions::from_mode(0o644))
+        .tempfile_in(path)
+}
+
+/// Return a [`NamedTempFile`] in the specified directory.
+#[cfg(not(unix))]
+pub fn tempfile_in(path: &Path) -> std::io::Result<NamedTempFile> {
+    tempfile::Builder::new().tempfile_in(path)
+}
+
 /// Write `data` to `path` atomically using a temporary file and atomic rename.
 #[cfg(feature = "tokio")]
 pub async fn write_atomic(path: impl AsRef<Path>, data: impl AsRef<[u8]>) -> std::io::Result<()> {
-    let temp_file = NamedTempFile::new_in(
+    let temp_file = tempfile_in(
         path.as_ref()
             .parent()
             .expect("Write path must have a parent"),
@@ -125,7 +140,7 @@ pub async fn write_atomic(path: impl AsRef<Path>, data: impl AsRef<[u8]>) -> std
 
 /// Write `data` to `path` atomically using a temporary file and atomic rename.
 pub fn write_atomic_sync(path: impl AsRef<Path>, data: impl AsRef<[u8]>) -> std::io::Result<()> {
-    let temp_file = NamedTempFile::new_in(
+    let temp_file = tempfile_in(
         path.as_ref()
             .parent()
             .expect("Write path must have a parent"),