Sensitive files created without restrictive permissions

[grisutheguru]

Summary

Sensitive files (encrypted database, Tox save files, settings) are created with default umask permissions (typically 0644), making them readable by other users on shared systems.

Details

No calls to QFile::setPermissions() exist anywhere in the persistence layer. Files are created via QFile, QSaveFile, and sqlite3_open_v2 without post-creation permission adjustment.

Affected files:

• .tox save files - contain cryptographic identity keys
• .db database files - encrypted chat history (but file itself is readable)
• .ini settings files - may contain proxy server addresses, friend lists, UI state
• Avatar files - contact avatars
• Lock files - contain PID information

On a multi-user Linux system with default umask 022, all these files are world-readable.

Suggested Fix

Create a utility function and use it for all sensitive file creation:

// In src/persistence/paths.h
static void setSecurePermissions(const QString& filePath) {
#ifdef Q_OS_UNIX
    QFile::setPermissions(filePath,
        QFile::ReadOwner | QFile::WriteOwner);  // 0600
#endif
}

Apply after creating:

• .tox files in Profile::saveToxSave()
• Database files in RawDatabaseImpl::open()
• Settings files in SettingsSerializer::save()
• Avatar files in Profile::saveAvatar()

For directories (getSettingsDirPath()), use 0700.

Impact

On shared systems, other users can read Tox identity keys, encrypted database files, settings (including proxy config), and contact metadata.