ensure safe perms for svs.sqlite and sync_flag

Signed-off-by: Allie Crevier <[email protected]>
freedomofpress · May 6, 2021 · 8019c11 · 8019c11
1 parent 4da2e99
commit 8019c11
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 7 deletions.
diff --git a/securedrop_client/app.py b/securedrop_client/app.py
@@ -190,6 +190,7 @@ def start_app(args, qt_args) -> None:
     - configure the client (logic) object.
     - ensure the application is setup in the default safe starting state.
     """
+    os.umask(0o077)
     configure_locale_and_language()
     init(args.sdc_home)
     configure_logging(args.sdc_home)

diff --git a/securedrop_client/db.py b/securedrop_client/db.py
@@ -37,6 +37,8 @@
 def make_session_maker(home: str) -> scoped_session:
     db_path = os.path.join(home, "svs.sqlite")
     engine = create_engine("sqlite:///{}".format(db_path))
+    if os.path.exists(db_path) and oct(os.stat(db_path).st_mode) != "0o100700":
+        os.chmod(db_path, 0o700)
     maker = sessionmaker(bind=engine)
     return scoped_session(maker)
 

diff --git a/securedrop_client/gui/main.py b/securedrop_client/gui/main.py
@@ -20,7 +20,6 @@
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 import logging
-import os
 from gettext import gettext as _
 from typing import Dict, List, Optional  # noqa: F401
 
@@ -56,7 +55,6 @@ def __init__(self) -> None:
           place for details / message contents / forms.
         """
         super().__init__()
-        os.umask(0o077)
         load_font("Montserrat")
         load_font("Source_Sans_Pro")
         self.setStyleSheet(load_css("sdclient.css"))

diff --git a/securedrop_client/logic.py b/securedrop_client/logic.py
@@ -337,7 +337,13 @@ def __init__(
         self.show_last_sync_timer.timeout.connect(self.show_last_sync)
 
         # Path to the file containing the timestamp since the last sync with the server
+        # TODO: Remove this code once the sync timestamp is tracked instead in svs.sqlite
         self.last_sync_filepath = os.path.join(home, "sync_flag")
+        if (
+            os.path.exists(self.last_sync_filepath)
+            and oct(os.stat(self.last_sync_filepath).st_mode) != "0o100700"
+        ):
+            os.chmod(self.last_sync_filepath, 0o700)
 
     @property
     def is_authenticated(self) -> bool:

diff --git a/tests/test_logic.py b/tests/test_logic.py
@@ -82,11 +82,18 @@ def test_Controller_init(homedir, config, mocker, session_maker):
     """
     mock_gui = mocker.MagicMock()
 
-    co = Controller("http://localhost/", mock_gui, session_maker, homedir)
-    assert co.hostname == "http://localhost/"
-    assert co.gui == mock_gui
-    assert co.session_maker == session_maker
-    assert co.api_threads == {}
+    # Ensure a sync_flag file with insecure perms is updated with the expected perms
+    insecure_sync_flag_path = os.path.join(homedir, "sync_flag")
+    with open(insecure_sync_flag_path, "w"):
+        os.chmod(insecure_sync_flag_path, 0o100644)
+        assert oct(os.stat(insecure_sync_flag_path).st_mode) == "0o100644"  # sanity check
+        co = Controller("http://localhost/", mock_gui, session_maker, homedir)
+        assert co.hostname == "http://localhost/"
+        assert co.gui == mock_gui
+        assert co.session_maker == session_maker
+        assert co.api_threads == {}
+        assert co.last_sync_filepath == insecure_sync_flag_path
+        assert oct(os.stat(co.last_sync_filepath).st_mode) == "0o100700"
 
 
 def test_Controller_setup(homedir, config, mocker, session_maker, session):