Skip to content

fix(security): MQTT password via QKeychain + AppSettings file perms 0600 (GHSA-mmqp-cm4w-cvpp)#2958

Merged
ten9876 merged 1 commit into
mainfrom
auto/m3-mqtt-keychain
May 22, 2026
Merged

fix(security): MQTT password via QKeychain + AppSettings file perms 0600 (GHSA-mmqp-cm4w-cvpp)#2958
ten9876 merged 1 commit into
mainfrom
auto/m3-mqtt-keychain

Conversation

@ten9876

@ten9876 ten9876 commented May 22, 2026

Copy link
Copy Markdown
Collaborator

Two coupled findings from the 2026-05-09 audit (M3 + L5):

M3 — MQTT broker password was stored plaintext in ~/.config/AetherSDR/
AetherSDR.settings (default umask 0644, world-readable on most Linux
systems). Other accounts on the same machine could lift the password
and connect to the user's broker — for a station-automation MQTT setup
that may control rotators, amplifier PTT lockout, etc., that's real
exposure.

L5 — AppSettings.cpp's atomic save never tightened the file mode after
rename(), so the same file (which also contains SmartLink email, radio
nicknames, and other operator metadata) was world-readable as a class.
AsyncLogWriter already does setPermissions(ReadOwner|WriteOwner) on its
log files; AppSettings was the outlier.

This fix:

  1. Moves MqttPass to QKeychain using the same pattern SmartLinkClient
    already uses for the refresh token (service "AetherSDR", key
    "mqtt_password"). Async load on applet open, async save on user
    click, async delete when the user clears the field.

  2. Migrates existing plaintext entries on first launch: if MqttPass is
    present in AppSettings, populate the UI from it, write it to the
    keychain, and only remove the plaintext entry if the keychain write
    succeeded. Keychain failure leaves the plaintext in place for
    retry — better than losing the user's credentials.

  3. Tightens AppSettings file permissions to mode 0600 on every save
    (live file + .bak backup). Matches the AsyncLogWriter precedent.

  4. Falls back to plaintext AppSettings on builds without HAVE_KEYCHAIN,
    with a qCWarning explaining the security regression. Real builds
    on Linux/Windows/macOS all link Qt6Keychain so this branch is dead
    in practice; the guard keeps the build green on stripped-down
    environments.

Verified:

  • Local Release build (cmake --build … --target AetherSDR exits 0).
  • Live run with the M3 binary tightened the settings file from
    -rw-r--r-- to -rw------- on first save.
  • Live run with empty MQTT password exercised the DeletePasswordJob
    branch without errors.
  • HAVE_KEYCHAIN compiled in: nm shows QKeychain::ReadPasswordJob,
    WritePasswordJob, DeletePasswordJob symbols in the binary.
  • Migration path not functionally tested (operator had no legacy
    MqttPass entry); code follows the SmartLink refresh-token pattern
    which has been live for months.

Principle I.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

…600 (GHSA-mmqp-cm4w-cvpp)

Two coupled findings from the 2026-05-09 audit (M3 + L5):

M3 — MQTT broker password was stored plaintext in ~/.config/AetherSDR/
AetherSDR.settings (default umask 0644, world-readable on most Linux
systems).  Other accounts on the same machine could lift the password
and connect to the user's broker — for a station-automation MQTT setup
that may control rotators, amplifier PTT lockout, etc., that's real
exposure.

L5 — AppSettings.cpp's atomic save never tightened the file mode after
rename(), so the same file (which also contains SmartLink email, radio
nicknames, and other operator metadata) was world-readable as a class.
AsyncLogWriter already does setPermissions(ReadOwner|WriteOwner) on its
log files; AppSettings was the outlier.

This fix:

1. Moves MqttPass to QKeychain using the same pattern SmartLinkClient
   already uses for the refresh token (service "AetherSDR", key
   "mqtt_password").  Async load on applet open, async save on user
   click, async delete when the user clears the field.

2. Migrates existing plaintext entries on first launch: if MqttPass is
   present in AppSettings, populate the UI from it, write it to the
   keychain, and only remove the plaintext entry if the keychain write
   succeeded.  Keychain failure leaves the plaintext in place for
   retry — better than losing the user's credentials.

3. Tightens AppSettings file permissions to mode 0600 on every save
   (live file + .bak backup).  Matches the AsyncLogWriter precedent.

4. Falls back to plaintext AppSettings on builds without HAVE_KEYCHAIN,
   with a qCWarning explaining the security regression.  Real builds
   on Linux/Windows/macOS all link Qt6Keychain so this branch is dead
   in practice; the guard keeps the build green on stripped-down
   environments.

Verified:
- Local Release build (cmake --build … --target AetherSDR exits 0).
- Live run with the M3 binary tightened the settings file from
  -rw-r--r-- to -rw------- on first save.
- Live run with empty MQTT password exercised the DeletePasswordJob
  branch without errors.
- HAVE_KEYCHAIN compiled in: nm shows QKeychain::ReadPasswordJob,
  WritePasswordJob, DeletePasswordJob symbols in the binary.
- Migration path not functionally tested (operator had no legacy
  MqttPass entry); code follows the SmartLink refresh-token pattern
  which has been live for months.

Principle I.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ten9876 ten9876 requested a review from jensenpat as a code owner May 22, 2026 06:20
@ten9876 ten9876 enabled auto-merge (squash) May 22, 2026 06:20
@ten9876 ten9876 merged commit f2a7ae7 into main May 22, 2026
5 checks passed
@ten9876 ten9876 deleted the auto/m3-mqtt-keychain branch May 22, 2026 06:43
G6PWY-Chris pushed a commit to G6PWY-Chris/AetherSDR that referenced this pull request Jun 22, 2026
…600 (GHSA-mmqp-cm4w-cvpp) (aethersdr#2958)

Two coupled findings from the 2026-05-09 audit (M3 + L5):

M3 — MQTT broker password was stored plaintext in ~/.config/AetherSDR/
AetherSDR.settings (default umask 0644, world-readable on most Linux
systems).  Other accounts on the same machine could lift the password
and connect to the user's broker — for a station-automation MQTT setup
that may control rotators, amplifier PTT lockout, etc., that's real
exposure.

L5 — AppSettings.cpp's atomic save never tightened the file mode after
rename(), so the same file (which also contains SmartLink email, radio
nicknames, and other operator metadata) was world-readable as a class.
AsyncLogWriter already does setPermissions(ReadOwner|WriteOwner) on its
log files; AppSettings was the outlier.

This fix:

1. Moves MqttPass to QKeychain using the same pattern SmartLinkClient
   already uses for the refresh token (service "AetherSDR", key
   "mqtt_password").  Async load on applet open, async save on user
   click, async delete when the user clears the field.

2. Migrates existing plaintext entries on first launch: if MqttPass is
   present in AppSettings, populate the UI from it, write it to the
   keychain, and only remove the plaintext entry if the keychain write
   succeeded.  Keychain failure leaves the plaintext in place for
   retry — better than losing the user's credentials.

3. Tightens AppSettings file permissions to mode 0600 on every save
   (live file + .bak backup).  Matches the AsyncLogWriter precedent.

4. Falls back to plaintext AppSettings on builds without HAVE_KEYCHAIN,
   with a qCWarning explaining the security regression.  Real builds
   on Linux/Windows/macOS all link Qt6Keychain so this branch is dead
   in practice; the guard keeps the build green on stripped-down
   environments.

Verified:
- Local Release build (cmake --build … --target AetherSDR exits 0).
- Live run with the M3 binary tightened the settings file from
  -rw-r--r-- to -rw------- on first save.
- Live run with empty MQTT password exercised the DeletePasswordJob
  branch without errors.
- HAVE_KEYCHAIN compiled in: nm shows QKeychain::ReadPasswordJob,
  WritePasswordJob, DeletePasswordJob symbols in the binary.
- Migration path not functionally tested (operator had no legacy
  MqttPass entry); code follows the SmartLink refresh-token pattern
  which has been live for months.

Principle I.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant