Skip to content

Tighten ~/.snowy file permissions to 0700/0600#125

Merged
nkcoder merged 1 commit into
mainfrom
bug/118-tighten-snowy-permissions
Jul 3, 2026
Merged

Tighten ~/.snowy file permissions to 0700/0600#125
nkcoder merged 1 commit into
mainfrom
bug/118-tighten-snowy-permissions

Conversation

@nkcoder

@nkcoder nkcoder commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Closes #118.

What changed

config.json, the metadata cache, history, and saved-query files were written 0644 inside a 0755 directory. Passwords now live in the Keychain, but these files still contain host, port, database, and username — meaningful on shared machines.

Tightened all nine ~/.snowy write sites:

Path Dir File
~/.snowy + config.json 0700 0600
cache/ + <dsId>.json 0700 0600
history/ + <dsId>.jsonl 0700 0600
queries/<dsId>/ + *.sql 0700 0600

CSV export (ExportCSV) writes to a user-chosen path outside ~/.snowy via the native Save dialog, so it's intentionally left at 0644.

Acceptance criteria

  • ~/.snowy (and subdirs) created with 0700
  • Config, cache, history, and saved-query files written with 0600
  • Tests assert the resulting permissions

Testing

  • New permissions_test.go — four tests exercise the real constructors/writers under a temp HOME and assert exact Mode().Perm() for each dir and file. All pass.
  • go test . — full suite green.

Note: 0700/0600 have no group/other bits, so the asserted modes are deterministic regardless of the runner's umask.

config.json, the metadata cache, history, and saved-query files were
written 0644 in a 0755 directory. Passwords live in the Keychain, but
these files still hold host/port/database/username — readable by other
users on a shared machine. Create ~/.snowy and its subdirs as 0700 and
write all user-data files as 0600. CSV export (a user-chosen path
outside ~/.snowy) is left at 0644.

Adds permissions_test.go asserting the resulting dir/file modes.

Closes #118
@nkcoder nkcoder merged commit c0a6664 into main Jul 3, 2026
2 checks passed
@nkcoder nkcoder deleted the bug/118-tighten-snowy-permissions branch July 3, 2026 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Tighten ~/.snowy file permissions to 0700/0600

1 participant