Fixes pentest issue DG25-28 from 2025-09-02 (#578)

* ensure data directories have appropriate permissions
* also set permissions for log directory
* set permissions for other files/directories
* automatically determine if path is a directory
* nix flake update

Author: j-chmielewski

flake.lock

@@ -9,6 +9,8 @@ use struct_patch::Patch;
 use strum::{Display, EnumString};
 use tauri::{AppHandle, Manager};
 
+use crate::set_perms;
+
 static APP_CONFIG_FILE_NAME: &str = "config.json";
 
 fn get_config_file_path(app: &AppHandle) -> PathBuf {
@@ -19,7 +21,9 @@ fn get_config_file_path(app: &AppHandle) -> PathBuf {
     if !config_file_path.exists() {
         create_dir_all(&config_file_path).expect("Failed to create missing app data dir");
     }
+    set_perms(&config_file_path);
     config_file_path.push(APP_CONFIG_FILE_NAME);
+    set_perms(&config_file_path);
     config_file_path
 }
 

src-tauri/src/app_config.rs

@@ -17,7 +17,7 @@ use defguard_client::{
         DB_POOL,
     },
     periodic::run_periodic_tasks,
-    service,
+    service, set_perms,
     tray::{configure_tray_icon, setup_tray, show_main_window},
     utils::load_log_targets,
     VERSION,
@@ -277,19 +277,22 @@ fn main() {
     app.run(|app_handle, event| match event {
         // Startup tasks
         RunEvent::Ready => {
+            let data_dir = app_handle
+                    .path()
+                    .app_data_dir()
+                    .unwrap_or_else(|_| "UNDEFINED DATA DIRECTORY".into());
+            let log_dir = app_handle
+                .path()
+                .app_log_dir()
+                .unwrap_or_else(|_| "UNDEFINED LOG DIRECTORY".into());
+
+            // Ensure directories have appropriate permissions (dg25-28).
+            set_perms(&data_dir);
+            set_perms(&log_dir);
             info!(
-                "Application data (database file) will be stored in: {} and application logs in: {}. \
+                "Application data (database file) will be stored in: {data_dir:?} and application logs in: {log_dir:?}. \
                 Logs of the background Defguard service responsible for managing VPN connections at the \
                 network level will be stored in: {}.",
-                // display the path to the app data directory, convert option<pathbuf> to option<&str>
-                app_handle
-                    .path()
-                    .app_data_dir()
-                    .unwrap_or_else(|_| "UNDEFINED DATA DIRECTORY".into()).display(),
-                app_handle
-                    .path()
-                    .app_log_dir()
-                    .unwrap_or_else(|_| "UNDEFINED LOG DIRECTORY".into()).display(),
                 service::config::DEFAULT_LOG_DIR
             );
             tauri::async_runtime::block_on(startup(app_handle));

src-tauri/src/bin/defguard-client.rs

@@ -1,5 +1,3 @@
-pub mod models;
-
 use std::{
     env,
     fs::{create_dir_all, File},
@@ -9,10 +7,12 @@ use std::{
 
 use sqlx::sqlite::{SqliteAutoVacuum, SqliteConnectOptions, SqliteJournalMode, SqlitePool};
 
-use crate::{app_data_dir, error::Error};
+use crate::{app_data_dir, error::Error, set_perms};
 
 const DB_NAME: &str = "defguard.db";
 
+pub mod models;
+
 pub(crate) type DbPool = SqlitePool;
 
 pub static DB_POOL: LazyLock<SqlitePool> = LazyLock::new(|| {
@@ -59,6 +59,7 @@ fn prepare_db_url() -> Result<String, Error> {
                 app_dir.to_string_lossy()
             );
         }
+        set_perms(&app_dir);
         let db_path = app_dir.join(DB_NAME);
         if db_path.exists() {
             debug!(
@@ -77,6 +78,7 @@ fn prepare_db_url() -> Result<String, Error> {
                 db_path.to_string_lossy()
             );
         }
+        set_perms(&db_path);
         debug!(
             "Application's database file is located at: {}",
             db_path.to_string_lossy()

src-tauri/src/database/mod.rs

@@ -1,6 +1,11 @@
 // FIXME: actually refactor errors instead
 #![allow(clippy::result_large_err)]
 use std::{fmt, path::PathBuf};
+#[cfg(not(windows))]
+use std::{
+    fs::{set_permissions, Permissions},
+    os::unix::fs::PermissionsExt,
+};
 
 use chrono::NaiveDateTime;
 use semver::Version;
@@ -77,6 +82,19 @@ pub fn app_data_dir() -> Option<PathBuf> {
     dirs_next::data_dir().map(|dir| dir.join(BUNDLE_IDENTIFIER))
 }
 
+/// Ensures path has appropriate permissions set (dg25-28):
+/// - 700 for directories
+/// - 600 for files
+pub fn set_perms(path: &PathBuf) {
+    #[cfg(not(windows))]
+    {
+        let perms = if path.is_dir() { 0o700 } else { 0o600 };
+        if let Err(err) = set_permissions(path, Permissions::from_mode(perms)) {
+            warn!("Failed to set permissions on path {path:?}: {err}");
+        }
+    }
+}
+
 /// Location type used in commands to check if we using tunnel or location
 #[derive(Clone, Copy, Debug, Deserialize, PartialEq, Serialize)]
 pub enum ConnectionType {