Tighten ~/.snowy file permissions to 0700/0600#125
Merged
Conversation
config.json, the metadata cache, history, and saved-query files were written 0644 in a 0755 directory. Passwords live in the Keychain, but these files still hold host/port/database/username — readable by other users on a shared machine. Create ~/.snowy and its subdirs as 0700 and write all user-data files as 0600. CSV export (a user-chosen path outside ~/.snowy) is left at 0644. Adds permissions_test.go asserting the resulting dir/file modes. Closes #118
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #118.
What changed
config.json, the metadata cache, history, and saved-query files were written0644inside a0755directory. Passwords now live in the Keychain, but these files still contain host, port, database, and username — meaningful on shared machines.Tightened all nine
~/.snowywrite sites:~/.snowy+config.json07000600cache/+<dsId>.json07000600history/+<dsId>.jsonl07000600queries/<dsId>/+*.sql07000600CSV export (
ExportCSV) writes to a user-chosen path outside~/.snowyvia the native Save dialog, so it's intentionally left at0644.Acceptance criteria
~/.snowy(and subdirs) created with07000600Testing
permissions_test.go— four tests exercise the real constructors/writers under a tempHOMEand assert exactMode().Perm()for each dir and file. All pass.go test .— full suite green.Note:
0700/0600have no group/other bits, so the asserted modes are deterministic regardless of the runner's umask.