Rocket.Chat.Electron icon indicating copy to clipboard operation
Rocket.Chat.Electron copied to clipboard
verified publisher icon RocketChat

Rocket.Chat Electron creates config files with overly permissive file permissions (0666)

Open moerkey opened this issue 4 weeks ago • 3 comments

Search before asking

  • [x] I had searched in the issues and found no similar issues.

Operating System

  • [ ] macOS
  • [ ] Windows
  • [x] Linux

Operating System Version

Ubuntu 24.04.03

It happens on the web browser too?

No, it just happens on the Desktop app

Rocket.Chat Desktop App Version

4.9.2

Rocket.Chat Server Version

7.10.4

Describe the bug

The Rocket.Chat Electron client creates configuration files in ~/.config/Rocket.Chat/ with overly permissive file permissions. The files are created with mode 0666 (rw-rw-rw-), which means they are world-writable. This is unexpected and can be considered a security issue, as other local users can modify these configuration files.

How to Reproduce

Install app and check file permissions.

$ ls -lh ~/.config/Rocket.Chat/config.json ~/.config/Rocket.Chat/supportedVersions.json
-rw-rw-rw- 1 USER GROUP 22K Nov 27 09:24 ~/.config/Rocket.Chat/config.json
-rw-rw-rw- 1 USER GROUP 13K Nov 27 07:53 ~/.config/Rocket.Chat/supportedVersions.json

Describe your Expected behavior

Configuration files should have more restrictive permissions, typically 0600 or 0640, depending on whether group access is required.

moerkey avatar Nov 27 '25 08:11 moerkey

I have created a pull request to fix this issue: #3147.

The PR adds secure file permissions (0600) to the supportedVersions cache so it is only readable/writable by the current user.
Tested on Windows and WSL.

Please review when possible. 🙂

Nitinref avatar Dec 01 '25 05:12 Nitinref

A PR was created for this by @Nitinref and @jeanfbrito will likely review it soon. In the meantime, are there any exploitable paths to achieve RCE, LPE, or the like? This could help us better categorize it and track it internally. If there are no exploitable paths, it's more of a security improvement and sanity check rather than a vulnerability per se.

julio-rocketchat avatar Dec 08 '25 08:12 julio-rocketchat

@julio-rocketchat @jeanfbrito As far as I checked, there are no known direct exploit paths like RCE or LPE. However, having world-writable files (0666) in the config/cache directory can increase the attack surface and is generally unsafe. So this PR ensures safer defaults (0600) as a preventive security improvement .

Nitinref avatar Dec 08 '25 10:12 Nitinref