Repository metrics
- Stars
- (48,085 stars)
- PR merge metrics
- (平均マージ 11d 1h) (30d で 45 merged PRs)
説明
Summary
RTK stores privacy-relevant local history and raw tee output under the platform local data directory. In v0.39.0, the tracking DB and tee log paths are created with default filesystem behavior rather than explicit restrictive Unix permissions.
This is local data hardening, not an accusation of malware.
Version / tag / commit
- Tag:
v0.39.0 - Commit:
2fbc7514f6964acabcfac65501b8bb6b525e3aa8
Evidence
The local files can contain sensitive local data:
src/core/tracking.rs:263-318createscommands(original_cmd, rtk_cmd, project_path, ...)andparse_failures(raw_command, error_message, ...).src/core/tracking.rs:417-426records the canonical current project path with each command.src/core/tracking.rs:465-483records raw parse-failure commands and error messages.src/core/tee.rs:105-146writes raw command output to tee.logfiles.
Tracking DB and tee logs do not set explicit restrictive permissions in the reviewed source:
src/core/tracking.rs:249-255creates the parent directory withstd::fs::create_dir_alland opens the SQLite DB withConnection::open(&db_path).src/core/tee.rs:113-141creates the tee directory withstd::fs::create_dir_alland writes the tee file withstd::fs::write.
There is an existing precedent for explicit local-data permissions:
src/core/telemetry.rs:174-186creates the device salt file and, on Unix, sets it to0o600.
Duplicate search performed:
gh issue list -R rtk-ai/rtk --search "history db tee permissions 0600"
No focused duplicate was found.
Impact
On Unix-like systems, default file modes depend on process umask and parent directory permissions. If the user's environment has permissive defaults, history.db or tee logs could be readable by other local users. The risk is local-only, but the stored fields can include command arguments, project paths, parse failure text, and raw command output.
Verification steps
- Inspect
src/core/tracking.rs:249-255andsrc/core/tee.rs:113-141. - Compare with
src/core/telemetry.rs:174-186, which explicitly sets the salt file to0o600. - Confirm there is no analogous
set_permissionsforhistory.db, its WAL/SHM files, thertkdata dir, theteedir, or tee.logfiles.
Suggested mitigation
On Unix:
- create the RTK data directory and tee directory with
0o700where possible; - set
history.db, SQLite sidecar files where feasible, and tee.logfiles to0o600; - add tests behind
#[cfg(unix)].
On Windows, document reliance on the user's local app-data ACLs unless explicit ACL hardening is added.