Add cross-platform secure file permissions with Windows DACL support (#73)

# Problem
Unix permission modes (0600, 0700) used throughout the codebase are
no-ops on Windows for access control. On a multi-user Windows machine,
OAuth tokens, emails, and attachments are readable by other users.

# Solution
Create internal/fileutil/ package with build-tagged implementations: 
- Unix: thin wrappers around os.WriteFile, os.MkdirAll, os.Chmod,
os.OpenFile
- Windows: after calling the standard os function, set a DACL
restricting access to the current user when the mode is owner-only (perm
& 0077 == 0)

# internal/fileutil/
- secure_unix.go (//go:build !windows) — thin wrappers around
os.WriteFile, os.MkdirAll, os.Chmod, os.OpenFile
- secure_windows.go (//go:build windows) — calls the standard os
function, then for owner-only modes (perm & 0077 == 0) applies a DACL
via golang.org/x/sys/windows that grants GENERIC_ALL only to the current
user with PROTECTED_DACL_SECURITY_INFORMATION to block inherited ACEs.
SID lookup failures log a warning and fall back to default behavior.
- secure_test.go — 6 tests covering all 4 functions with owner-only and
permissive modes, error paths, and read-only open

# Usage
  | File | Internal calls |
  |---|---|
| internal/oauth/oauth.go │|os.MkdirAll → SecureMkdirAll (0700),
os.Chmod → SecureChmod (0600) |
| internal/config/config.go | 2x os.MkdirAll → SecureMkdirAll (0700) |
| internal/deletion/manifest.go | os.WriteFile → SecureWriteFile (0600)
|
| internal/sync/sync.go | os.WriteFile → SecureWriteFile (0600) |
| cmd/msgvault/cmd/export_eml.go | os.WriteFile → SecureWriteFile (0600)
|
| cmd/msgvault/cmd/export_attachment.go | os.OpenFile → SecureOpenFile
(0600) |
| internal/export/attachments.go | 2x os.OpenFile → SecureOpenFile (perm
param) |
| internal/update/update.go | os.WriteFile → SecureWriteFile (0600) |

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Wes McKinney <wesmckinn+git@gmail.com>

Author: 3 people

cmd/msgvault/cmd/export_attachment.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/spf13/cobra"
 	"github.com/wesm/msgvault/internal/export"
+	"github.com/wesm/msgvault/internal/fileutil"
 )
 
 var (
@@ -133,7 +134,7 @@ func exportAttachmentBinary(storagePath, contentHash string) error {
 		return err
 	}
 
-	dst, err := os.OpenFile(outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	dst, err := fileutil.SecureOpenFile(outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return fmt.Errorf("create output file: %w", err)
 	}

cmd/msgvault/cmd/export_eml.go

@@ -6,6 +6,7 @@ import (
 	"strconv"
 
 	"github.com/spf13/cobra"
+	"github.com/wesm/msgvault/internal/fileutil"
 	"github.com/wesm/msgvault/internal/query"
 	"github.com/wesm/msgvault/internal/store"
 )
@@ -86,7 +87,7 @@ Examples:
 			return err
 		}
 
-		err = os.WriteFile(outputPath, rawData, 0600) // Restricted permissions for email content
+		err = fileutil.SecureWriteFile(outputPath, rawData, 0600) // Restricted permissions for email content
 		if err != nil {
 			return fmt.Errorf("write file: %w", err)
 		}

go.mod

@@ -9,15 +9,18 @@ require (
 	github.com/charmbracelet/lipgloss v1.1.0
 	github.com/charmbracelet/x/ansi v0.10.1
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
+	github.com/google/go-cmp v0.7.0
 	github.com/jhillyerd/enmime v1.3.0
 	github.com/marcboeker/go-duckdb v1.8.5
 	github.com/mark3labs/mcp-go v0.43.2
 	github.com/mattn/go-runewidth v0.0.16
 	github.com/mattn/go-sqlite3 v1.14.33
 	github.com/muesli/termenv v0.16.0
 	github.com/spf13/cobra v1.10.2
+	golang.org/x/mod v0.30.0
 	golang.org/x/oauth2 v0.34.0
 	golang.org/x/sync v0.19.0
+	golang.org/x/sys v0.37.0
 	golang.org/x/text v0.30.0
 )
 
@@ -36,7 +39,6 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/google/flatbuffers v25.1.24+incompatible // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/invopop/jsonschema v0.13.0 // indirect
@@ -61,9 +63,7 @@ require (
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
 	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa // indirect
-	golang.org/x/mod v0.30.0 // indirect
 	golang.org/x/net v0.46.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
 	golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
 	golang.org/x/tools v0.38.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect

internal/config/config.go

@@ -3,11 +3,13 @@ package config
 
 import (
 	"fmt"
+	"log/slog"
 	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/BurntSushi/toml"
+	"github.com/wesm/msgvault/internal/fileutil"
 )
 
 // Config represents the msgvault configuration.
@@ -142,7 +144,7 @@ func (c *Config) AnalyticsDir() string {
 
 // EnsureHomeDir creates the msgvault home directory if it doesn't exist.
 func (c *Config) EnsureHomeDir() error {
-	return os.MkdirAll(c.HomeDir, 0700)
+	return fileutil.SecureMkdirAll(c.HomeDir, 0700)
 }
 
 // ConfigFilePath returns the path to the config file.
@@ -174,28 +176,40 @@ func MkTempDir(pattern string, preferredDirs ...string) (string, error) {
 		}
 		dir, err := os.MkdirTemp(base, pattern)
 		if err == nil {
+			secureTempDir(dir)
 			return dir, nil
 		}
 	}
 
 	// Try system temp dir
 	dir, sysErr := os.MkdirTemp("", pattern)
 	if sysErr == nil {
+		secureTempDir(dir)
 		return dir, nil
 	}
 
 	// Fallback: use ~/.msgvault/tmp/
 	fallbackBase := filepath.Join(DefaultHome(), "tmp")
-	if err := os.MkdirAll(fallbackBase, 0700); err != nil {
+	if err := fileutil.SecureMkdirAll(fallbackBase, 0700); err != nil {
 		return "", fmt.Errorf("create temp dir: %w (fallback also failed: %v)", sysErr, err)
 	}
 	dir, err := os.MkdirTemp(fallbackBase, pattern)
 	if err != nil {
 		return "", fmt.Errorf("create temp dir: %w (fallback also failed: %v)", sysErr, err)
 	}
+	secureTempDir(dir)
 	return dir, nil
 }
 
+// secureTempDir applies owner-only permissions to a temp directory created by
+// os.MkdirTemp, which uses default permissions. On Windows, this also sets an
+// owner-only DACL. Failures are logged but non-fatal.
+func secureTempDir(dir string) {
+	if err := fileutil.SecureChmod(dir, 0700); err != nil {
+		slog.Warn("failed to secure temp directory permissions", "path", dir, "err", err)
+	}
+}
+
 // resolveRelative makes a relative path absolute by joining it with base.
 // Absolute paths and empty strings are returned unchanged.
 func resolveRelative(path, base string) string {

internal/config/config_test.go

@@ -344,6 +344,23 @@ func TestDefaultHomeExpandsTilde(t *testing.T) {
 	}
 }
 
+// assertTempDirSecured checks that a temp dir has permissions no more
+// permissive than 0700. This is umask-tolerant (stricter is fine).
+func assertTempDirSecured(t *testing.T, dir string) {
+	t.Helper()
+	if runtime.GOOS == "windows" {
+		return // Windows uses DACLs, not Unix permission bits
+	}
+	info, err := os.Stat(dir)
+	if err != nil {
+		t.Fatalf("Stat temp dir: %v", err)
+	}
+	got := info.Mode().Perm()
+	if got&^os.FileMode(0700) != 0 {
+		t.Errorf("temp dir perm = %04o, has bits beyond 0700 (extra: %04o)", got, got&^0700)
+	}
+}
+
 func TestMkTempDir(t *testing.T) {
 	t.Run("uses system temp when no preferred dirs", func(t *testing.T) {
 		dir, err := MkTempDir("test-*")
@@ -355,6 +372,7 @@ func TestMkTempDir(t *testing.T) {
 		if _, err := os.Stat(dir); err != nil {
 			t.Errorf("temp dir does not exist: %v", err)
 		}
+		assertTempDirSecured(t, dir)
 	})
 
 	t.Run("uses preferred dir when available", func(t *testing.T) {
@@ -368,6 +386,7 @@ func TestMkTempDir(t *testing.T) {
 		if !strings.HasPrefix(dir, preferred) {
 			t.Errorf("temp dir %q not under preferred %q", dir, preferred)
 		}
+		assertTempDirSecured(t, dir)
 	})
 
 	t.Run("skips empty preferred dir strings", func(t *testing.T) {
@@ -433,13 +452,8 @@ func TestMkTempDir(t *testing.T) {
 		}
 
 		// Verify the tmp dir was created with restrictive permissions
-		info, err := os.Stat(expectedBase)
-		if err != nil {
-			t.Fatalf("stat fallback dir: %v", err)
-		}
-		if perm := info.Mode().Perm(); perm != 0o700 {
-			t.Errorf("fallback dir permissions = %04o, want 0700", perm)
-		}
+		assertTempDirSecured(t, expectedBase)
+		assertTempDirSecured(t, dir)
 	})
 }
 

internal/deletion/manifest.go

@@ -10,6 +10,8 @@ import (
 	"sort"
 	"strings"
 	"time"
+
+	"github.com/wesm/msgvault/internal/fileutil"
 )
 
 // Status represents the state of a deletion batch.
@@ -151,7 +153,7 @@ func (m *Manifest) Save(path string) error {
 		return err
 	}
 
-	return os.WriteFile(path, data, 0600)
+	return fileutil.SecureWriteFile(path, data, 0600)
 }
 
 // FormatSummary returns a human-readable summary of the deletion.

internal/export/attachments.go

@@ -13,6 +13,8 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/wesm/msgvault/internal/fileutil"
+
 	"github.com/wesm/msgvault/internal/query"
 )
 
@@ -322,7 +324,7 @@ func exportAttachmentToFile(outputDir, attachmentsDir, contentHash, filename str
 // trying path, path_1, path_2, etc. on conflict. Returns the open file and
 // the path that was actually used. Uses O_CREATE|O_EXCL to avoid TOCTOU races.
 func CreateExclusiveFile(p string, perm os.FileMode) (*os.File, string, error) {
-	f, err := os.OpenFile(p, os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm)
+	f, err := fileutil.SecureOpenFile(p, os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm)
 	if err == nil {
 		return f, p, nil
 	}
@@ -333,7 +335,7 @@ func CreateExclusiveFile(p string, perm os.FileMode) (*os.File, string, error) {
 	base := p[:len(p)-len(ext)]
 	for i := 1; ; i++ {
 		candidate := fmt.Sprintf("%s_%d%s", base, i, ext)
-		f, err = os.OpenFile(candidate, os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm)
+		f, err = fileutil.SecureOpenFile(candidate, os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm)
 		if err == nil {
 			return f, candidate, nil
 		}