permissions

veilid-core/src/intf/native/block_store.rs

@@ -23,6 +23,9 @@ impl BlockStore {
     }
 
     pub async fn init(&self) -> Result<(), String> {
+        // Ensure permissions are correct
+        // ensure_file_private_owner(&dbpath)?;
+
         Ok(())
     }
 

veilid-core/src/intf/native/protected_store.rs

@@ -48,6 +48,7 @@ impl ProtectedStore {
             let c = self.config.get();
             let mut inner = self.inner.lock();
             if !c.protected_store.always_use_insecure_storage {
+                // Attempt to open the secure keyring
                 cfg_if! {
                     if #[cfg(target_os = "android")] {
                         inner.keyring_manager = KeyringManager::new_secure(&c.program_name, intf::native::utils::android::get_android_globals()).ok();
@@ -70,6 +71,11 @@ impl ProtectedStore {
                         format!("_{}", c.namespace)
                     }
                 ));
+
+                // Ensure permissions are correct
+                ensure_file_private_owner(&insecure_keyring_file)?;
+
+                // Open the insecure keyring
                 inner.keyring_manager = Some(
                     KeyringManager::new_insecure(&c.program_name, &insecure_keyring_file)
                         .map_err(map_to_string)

veilid-core/src/intf/native/table_store.rs

@@ -99,9 +99,17 @@ impl TableStore {
         }
 
         let dbpath = self.get_dbpath(&table_name)?;
+
+        // Ensure permissions are correct
+        ensure_file_private_owner(&dbpath)?;
+
         let cfg = DatabaseConfig::with_columns(column_count);
         let db =
             Database::open(&dbpath, cfg).map_err(|e| format!("failed to open tabledb: {}", e))?;
+
+        // Ensure permissions are correct
+        ensure_file_private_owner(&dbpath)?;
+
         trace!(
             "opened table store '{}' at path '{:?}' with {} columns",
             name,