From c3eac80e1458d8f8e51fe011044d2d34ff7f7445 Mon Sep 17 00:00:00 2001
From: Tyler Koenig <tyler@lerkolabs.com>
Date: Fri, 12 Jun 2026 09:51:11 -0400
Subject: [PATCH] fix(store): chmod SQLite DB files to 0600 on open

Bare-metal installs created the DB with process umask (often 022),
making uptop.db, -wal, and -shm world-readable. These files contain
alert credentials and config. Now chmod 0600 after open. Missing
WAL/SHM siblings (not yet created) are silently skipped. Docker
installs were already mitigated by the non-root UID.
---
 internal/store/sqlite.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/internal/store/sqlite.go b/internal/store/sqlite.go
index 5f57b50..24c7498 100644
--- a/internal/store/sqlite.go
+++ b/internal/store/sqlite.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"fmt"
 	"log/slog"
+	"os"
 
 	_ "modernc.org/sqlite"
 )
@@ -25,6 +26,13 @@ func NewSQLiteStore(path string) (*SQLStore, error) {
 	if err != nil {
 		return nil, err
 	}
+	if path != ":memory:" {
+		for _, suffix := range []string{"", "-wal", "-shm"} {
+			if err := os.Chmod(path+suffix, 0600); err != nil && !os.IsNotExist(err) {
+				slog.Warn("failed to chmod database file", "path", path+suffix, "err", err)
+			}
+		}
+	}
 	return s, nil
 }
 
-- 
2.52.0