World-readable "sync-conflict" files for private files

I’m using SyncThing to sync a password database between a Linux PC and an Android phone. I’ve recently noticed that while the password database itself is restricted to my own user, SyncThing kept creating *.sync-conflict-* files that are world-readable, therefore exposing the password database to other users, e.g.:

-rw------- 1 mgorny mgorny 56K 11-13 05:04 Passwords.kdbx
-rw-r--r-- 1 mgorny mgorny 51K 10-20 07:49 Passwords.sync-conflict-20231023-155348-DLDPJRE.kdbx

Is this a problem with my setup, or perhaps a bug?

I suspect it’s a problem with your setup. I can’t know from the description, but here’s what I think happened:

  • A conflict was created on the Android side
  • The Android side uses “ignore permissions”
  • The conflict file gets synced to Linux without permissions, thus getting the default you see

This is “as designed” given ignore-permissions is enabled. The actual sync conflict, when created, is an mv of the original file and should thus retain its permission bits.