lerkolabs/uptop
1
1
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects 2 Releases 4 Wiki Activity

fix(store): chmod SQLite DB files to 0600 on open
CI / test (pull_request) Successful in 1m57s
Details
CI / lint (pull_request) Successful in 1m26s
Details
CI / vulncheck (pull_request) Successful in 1m2s
Details

Browse Source 
Bare-metal installs created the DB with process umask (often 022),
making uptop.db, -wal, and -shm world-readable. These files contain
alert credentials and config. Now chmod 0600 after open. Missing
WAL/SHM siblings (not yet created) are silently skipped. Docker
installs were already mitigated by the non-root UID.
This commit was merged in pull request #119.
This commit is contained in:
Tyler Koenig
2026-06-12 09:51:11 -04:00
parent 6cf0efed9b
commit c3eac80e14
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/store/sqlite.go
+8
View File
@@ -4,6 +4,7 @@ import (
"database/sql"
"fmt"
"log/slog"
"os"
_ "modernc.org/sqlite"
)
@@ -25,6 +26,13 @@ func NewSQLiteStore(path string) (*SQLStore, error) {
if err != nil {
return nil, err
}
if path != ":memory:" {
for _, suffix := range []string{"", "-wal", "-shm"} {
if err := os.Chmod(path+suffix, 0600); err != nil && !os.IsNotExist(err) {
slog.Warn("failed to chmod database file", "path", path+suffix, "err", err)
}
}
}
return s, nil
}