When preparing the {TEMP_DATABASE} path, remote sync uses the default temp directory from QDir which isn't ideal on Linux. Moreover it only prepares a possibly unique name in the path and doesn't check if it exists prior to using it.
Expected Behavior
We should use QStandardPaths::writableLocation(QStandardPaths::RuntimeLocation) if it's available as it's usually a tmpfs that already has strict permissions making it ephemeral and more secure than /tmp which is what it currently ends up using.
Additionally it should create a unique directory in there with strict permissions and use that as the root for {TEMP_DATABASE}. After the sync is done that whole path should be recursively removed so regardless what the sync command did in that path nothing is left behind. This ensures that even if on non-Linux (or no systemd) the temp directory is world readable and persistent, KeePassXC crashing or failing somehow would only leave a directory behind that is inaccessible by other users.
Actual Behavior
On Linux, /tmp is used as the root, existence of the generated temp name is not checked and due to the unfortunate fact of using /tmp as the root the files can be world readable.
droidmonkey
commented
2 weeks ago
Overview
When preparing the
{TEMP_DATABASE}path, remote sync uses the default temp directory from QDir which isn't ideal on Linux. Moreover it only prepares a possibly unique name in the path and doesn't check if it exists prior to using it.Expected Behavior
We should use
QStandardPaths::writableLocation(QStandardPaths::RuntimeLocation)if it's available as it's usually a tmpfs that already has strict permissions making it ephemeral and more secure than /tmp which is what it currently ends up using.Additionally it should create a unique directory in there with strict permissions and use that as the root for
{TEMP_DATABASE}. After the sync is done that whole path should be recursively removed so regardless what the sync command did in that path nothing is left behind. This ensures that even if on non-Linux (or no systemd) the temp directory is world readable and persistent, KeePassXC crashing or failing somehow would only leave a directory behind that is inaccessible by other users.Actual Behavior
On Linux, /tmp is used as the root, existence of the generated temp name is not checked and due to the unfortunate fact of using /tmp as the root the files can be world readable.
Context
10842