clients icon indicating copy to clipboard operation
clients copied to clipboard

Published 20 hours ago verified publisher icon bitwarden

`data.json` uses mode 666 on linux

Open exincore opened this issue 2 months ago • 3 comments

Steps To Reproduce

  1. Clear user data with rm -r ~/.config/Bitwarden
  2. Open Bitwarden AppImage and login
  3. Observe access mode with stat ~/.config/Bitwarden/data.json

Expected Result

~/.config/Bitwarden/data.json should have access mode 0600/-rw-------.

Actual Result

~/.config/Bitwarden/data.json has access mode 0666/-rw-rw-rw-. If the mode is manually changed to 600 with chmod 600 ~/.config/Bitwarden/data.json, the application will change it back to 666.

Screenshots or Videos

No response

Additional Context

I have also witnessed briefly a temporary file of the form data.json.tmp-xxxxxxxxxxxxxxxx with access mode 0644/-rw-r--r-- on application launch.

There are also some symbolic links SingletonCookie,SingletonLock, and SingletonSocket that have mode 0777/lrwxrwxrwx that exist as long as the application is open; one of these appears to store a sensitive variable, and symlinks cannot have access mode other than 777.

Operating System

Linux

Operating System Version

openSUSE Tumbleweed x86_64 20240423; kernel 6.8.7-1-default; KDE Plasma 6.0.4

Installation method

Direct Download (from bitwarden.com)

Build Version

2024.4.1

Issue Tracking Info

  • [X] I understand that work is tracked outside of GitHub. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

exincore avatar Apr 28 '24 00:04 exincore

Hello @exincore,

Thank you for this report. Just to make sure that you and I are on the same page, how did you install that Bitwarden desktop client?

To be clear, we have captured this matter internally with regard to the .AppImage release, and we received a similar report about the Export function here.

Thank you in advance,

SergeantConfused avatar Apr 28 '24 05:04 SergeantConfused

I downloaded the latest AppImage from https://bitwarden.com/download and moved it to ~/bin/Bitwarden-2024.4.1-x86_84.AppImage.

Launching the application by executing Bitwarden-2024.4.1-x86_84.AppImage in a shell will cause this issue.

Also, I have the daemon appimaged which automatically generates this desktop file ~/.local/share/applications/appimagekit_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-bitwarden.desktop; launching the application with this desktop file leads to the same result:

[Desktop Entry]
Name=Bitwarden
Exec=/home/exin/bin/Bitwarden-2024.4.1-x86_64.AppImage
Terminal=false
Type=Application
Icon=appimagekit_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_bitwarden
StartupWMClass=Bitwarden
X-AppImage-Version=2024.4.1
GenericName=Password Manager
Comment=A secure and free password manager for all of your devices.
MimeType=x-scheme-handler/bitwarden;
Categories=Utility;
TryExec=/home/exin/bin/Bitwarden-2024.4.1-x86_64.AppImage
X-AppImage-Comment=Generated by appimaged 10
X-AppImage-Identifier=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

exincore avatar Apr 28 '24 19:04 exincore

Hi @exincore,

Thank you. Yes, this matter has already been captured internally, and we're looking into it; I will this external GitHub report open for visibility for the time being.

Thank you again,

SergeantConfused avatar May 05 '24 12:05 SergeantConfused