Context
PR #3672 (feat/platform-wallet-storage-secrets) lands the encrypted-file secret backend (packages/rs-platform-wallet-storage/src/secrets/file/). On Unix the backend enforces:
- vault file mode
0600 (check_perms at src/secrets/file/mod.rs)
- vault directory mode
0700 (set_restrictive_dir_perms at src/secrets/file/mod.rs)
Code-review finding CMT-007 flagged that the non-Unix check_perms stub returns Ok(()) unconditionally. Operators on Windows are currently expected to set ACLs manually on the vault directory and file. This issue tracks the follow-up to enforce the same fail-loud contract on Windows.
Scope
- Implement a Windows ACL read-check for the vault file's DACL — refuse when any principal other than the current user has read/write access. Mirrors
check_perms on Unix (InsecurePermissions { mode } is the typed error; the Windows variant will need its own discriminant or a wrapped ACL summary that carries no secret bytes).
- Implement an ACL tighten for the vault directory at
EncryptedFileStore::open (mirrors set_restrictive_dir_perms on Unix). A pre-existing directory whose ACL is looser than current-user-only should be logged at warn level and tightened in place — matches the Unix policy chosen for CMT-002.
- Use
windows-acl or windows / winapi directly. GetSecurityInfo + SetSecurityInfo are the relevant primitives.
- Pair the implementation with parity tests under
#[cfg(windows)] (the existing Unix vault_created_0600 / loose_perms_preexisting_file_refused tests are the pattern to mirror).
References
Acceptance criteria
Context
PR #3672 (
feat/platform-wallet-storage-secrets) lands the encrypted-file secret backend (packages/rs-platform-wallet-storage/src/secrets/file/). On Unix the backend enforces:0600(check_permsatsrc/secrets/file/mod.rs)0700(set_restrictive_dir_permsatsrc/secrets/file/mod.rs)Code-review finding CMT-007 flagged that the non-Unix
check_permsstub returnsOk(())unconditionally. Operators on Windows are currently expected to set ACLs manually on the vault directory and file. This issue tracks the follow-up to enforce the same fail-loud contract on Windows.Scope
check_permson Unix (InsecurePermissions { mode }is the typed error; the Windows variant will need its own discriminant or a wrapped ACL summary that carries no secret bytes).EncryptedFileStore::open(mirrorsset_restrictive_dir_permson Unix). A pre-existing directory whose ACL is looser than current-user-only should be logged atwarnlevel and tightened in place — matches the Unix policy chosen for CMT-002.windows-aclorwindows/winapidirectly.GetSecurityInfo+SetSecurityInfoare the relevant primitives.#[cfg(windows)](the existing Unixvault_created_0600/loose_perms_preexisting_file_refusedtests are the pattern to mirror).References
packages/rs-platform-wallet-storage/src/secrets/file/mod.rs—check_perms,set_restrictive_dir_perms,set_restrictive_permsnon-Unix branches.INTENTIONALfor the secrets-feature landing).Acceptance criteria
check_permsrejects vault files whose DACL grants read/write to any non-owner principal.set_restrictive_dir_permstightens the vault dir to current-user-only and logs the prior exposure when it had looser perms.INTENTIONAL(CMT-007)comment insrc/secrets/file/mod.rsis removed.vault_created_0600/loose_perms_preexisting_file_refusedcases under#[cfg(windows)].