World-readable "sync-conflict" files for private files

I’m using SyncThing to sync a password database between a Linux PC and an Android phone. I’ve recently noticed that while the password database itself is restricted to my own user, SyncThing kept creating *.sync-conflict-* files that are world-readable, therefore exposing the password database to other users, e.g.:

-rw------- 1 mgorny mgorny 56K 11-13 05:04 Passwords.kdbx
-rw-r--r-- 1 mgorny mgorny 51K 10-20 07:49 Passwords.sync-conflict-20231023-155348-DLDPJRE.kdbx

Is this a problem with my setup, or perhaps a bug?

I suspect it’s a problem with your setup. I can’t know from the description, but here’s what I think happened:

  • A conflict was created on the Android side
  • The Android side uses “ignore permissions”
  • The conflict file gets synced to Linux without permissions, thus getting the default you see

This is “as designed” given ignore-permissions is enabled. The actual sync conflict, when created, is an mv of the original file and should thus retain its permission bits.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.