I’m using SyncThing to sync a password database between a Linux PC and an Android phone. I’ve recently noticed that while the password database itself is restricted to my own user, SyncThing kept creating *.sync-conflict-* files that are world-readable, therefore exposing the password database to other users, e.g.:
I suspect it’s a problem with your setup. I can’t know from the description, but here’s what I think happened:
A conflict was created on the Android side
The Android side uses “ignore permissions”
The conflict file gets synced to Linux without permissions, thus getting the default you see
This is “as designed” given ignore-permissions is enabled. The actual sync conflict, when created, is an mv of the original file and should thus retain its permission bits.