Summary
On *nix and macOS, halloy creates its config directory and files using default umask permissions, which typically results in 0644 on files and 0755 on directories. This allows any local user on the system to read plaintext credentials stored in config.toml or referenced password_file paths.
Details
When halloy creates the config directory via create_dir_all or writes the initial config via std::fs::write, no explicit permissions are set. The resulting permissions depend on the user's umask, which is 0022 on most Linux distributions.
Files containing credentials:
config.toml — can contain password, nick_password, and sasl.plain.password fields in plaintext
- Any file referenced by
password_file, nick_password_file, or sasl.plain.password_file — halloy reads these without checking their permissions
Relevant code paths:
data/src/config.rs — config_dir(), sounds_dir(), themes_dir() call create_dir_all with no mode set
data/src/config.rs — create_initial_config() calls std::fs::write with no mode set
data/src/server.rs — ConfigMap::new() reads password files via fs::read_to_string with no permission check
PoC
On a default Ubuntu/Debian/Fedora/Arch system with two user accounts:
- User A installs and runs halloy, which creates
~/.config/halloy/config.toml with a server password configured
- User B runs:
cat /home/user_a/.config/halloy/config.toml
- User B can read all credentials in plaintext
This works because the default umask 0022 produces mode 0644 on the config file and 0755 on both the home directory (on many distros) and the .config/halloy directory.
Impact
Information disclosure of IRC credentials (server passwords, NickServ passwords, SASL passwords). On shared systems, any local user can read another user's halloy credentials without elevated privileges. Since users commonly reuse passwords, exposed credentials enable credential stuffing attacks against the user's accounts on other services.
Users using password_command are not affected as the passwords come from external applications via stdout which only exists in memory and doesn't touch the filesystem.
Summary
On *nix and macOS, halloy creates its config directory and files using default umask permissions, which typically results in
0644on files and0755on directories. This allows any local user on the system to read plaintext credentials stored inconfig.tomlor referencedpassword_filepaths.Details
When halloy creates the config directory via
create_dir_allor writes the initial config viastd::fs::write, no explicit permissions are set. The resulting permissions depend on the user's umask, which is0022on most Linux distributions.Files containing credentials:
config.toml— can containpassword,nick_password, andsasl.plain.passwordfields in plaintextpassword_file,nick_password_file, orsasl.plain.password_file— halloy reads these without checking their permissionsRelevant code paths:
data/src/config.rs—config_dir(),sounds_dir(),themes_dir()callcreate_dir_allwith no mode setdata/src/config.rs—create_initial_config()callsstd::fs::writewith no mode setdata/src/server.rs—ConfigMap::new()reads password files viafs::read_to_stringwith no permission checkPoC
On a default Ubuntu/Debian/Fedora/Arch system with two user accounts:
~/.config/halloy/config.tomlwith a server password configuredcat /home/user_a/.config/halloy/config.tomlThis works because the default umask
0022produces mode0644on the config file and0755on both the home directory (on many distros) and the.config/halloydirectory.Impact
Information disclosure of IRC credentials (server passwords, NickServ passwords, SASL passwords). On shared systems, any local user can read another user's halloy credentials without elevated privileges. Since users commonly reuse passwords, exposed credentials enable credential stuffing attacks against the user's accounts on other services.
Users using
password_commandare not affected as the passwords come from external applications viastdoutwhich only exists in memory and doesn't touch the filesystem.