Skip to content

security hardening: timing-safe auth, file permissions, password file#71

Merged
kacy merged 3 commits intomainfrom
security/hardening
Feb 10, 2026
Merged

security hardening: timing-safe auth, file permissions, password file#71
kacy merged 3 commits intomainfrom
security/hardening

Conversation

@kacy
Copy link
Copy Markdown
Owner

@kacy kacy commented Feb 10, 2026

summary

three targeted security fixes identified during audit:

  • constant-time password comparison — all three AUTH code paths (connection_common.rs, connection.rs, concurrent_handler.rs) now use subtle::ConstantTimeEq instead of ==, preventing timing side-channel attacks on password guessing
  • restricted file permissions — AOF and snapshot files are created with mode 0600 (owner-only) on unix via OpenOptionsExt, preventing other users on the system from reading potentially sensitive cached data
  • --requirepass-file flag — alternative to --requirepass that reads the password from a file at startup, avoiding exposure in /proc/cmdline and shell history. mutually exclusive with --requirepass, errors on empty or unreadable files

what was tested

  • cargo clippy --workspace -- -D warnings — clean
  • cargo test --workspace — all tests pass, no regressions
  • verified file permissions on macOS: AOF and snapshot files created with 0600
  • verified --requirepass-file works with AUTH, rejects empty files, errors when both flags set

design considerations

  • subtle crate is the standard for constant-time operations in rust (used by ring, rustls, etc.)
  • file permissions use #[cfg(unix)] gating so windows builds aren't affected
  • password file is trimmed with trim_end() (not trim()) to allow leading whitespace in passwords, matching common secret-file conventions

kacy added 3 commits February 9, 2026 19:31
@kacy
fix: use constant-time comparison for password authentication
1a1bb77 
replace `==` with `subtle::ConstantTimeEq` in all three AUTH
handlers to prevent timing side-channel attacks. adds the `subtle`
crate as a workspace dependency.
@kacy
fix: restrict persistence file permissions to 0600 on unix
8b70ee8 
AOF and snapshot files may contain sensitive data. set file mode to
owner-only read/write (0600) using OpenOptionsExt on unix platforms.
non-unix platforms retain default behavior.
@kacy
feat: add --requirepass-file flag for file-based password
3621077 
adds --requirepass-file as an alternative to --requirepass, avoiding
password exposure in /proc/cmdline. the file is read at startup and
trimmed of trailing whitespace. errors if both flags are set or if
the file is empty/unreadable.
@kacy kacy merged commit 180c9c5 into main Feb 10, 2026
7 checks passed
@kacy kacy deleted the security/hardening branch February 10, 2026 00:33
kacy added a commit that referenced this pull request Feb 11, 2026
@kacy
security hardening: timing-safe auth, file permissions, password file (
1bbac59 
…#71)

* fix: use constant-time comparison for password authentication

replace `==` with `subtle::ConstantTimeEq` in all three AUTH
handlers to prevent timing side-channel attacks. adds the `subtle`
crate as a workspace dependency.

* fix: restrict persistence file permissions to 0600 on unix

AOF and snapshot files may contain sensitive data. set file mode to
owner-only read/write (0600) using OpenOptionsExt on unix platforms.
non-unix platforms retain default behavior.

* feat: add --requirepass-file flag for file-based password

adds --requirepass-file as an alternative to --requirepass, avoiding
password exposure in /proc/cmdline. the file is read at startup and
trimmed of trailing whitespace. errors if both flags are set or if
the file is empty/unreadable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kacy