fix(security): MQTT password via QKeychain + AppSettings file perms 0600 (GHSA-mmqp-cm4w-cvpp)#2958
Merged
Merged
Conversation
…600 (GHSA-mmqp-cm4w-cvpp) Two coupled findings from the 2026-05-09 audit (M3 + L5): M3 — MQTT broker password was stored plaintext in ~/.config/AetherSDR/ AetherSDR.settings (default umask 0644, world-readable on most Linux systems). Other accounts on the same machine could lift the password and connect to the user's broker — for a station-automation MQTT setup that may control rotators, amplifier PTT lockout, etc., that's real exposure. L5 — AppSettings.cpp's atomic save never tightened the file mode after rename(), so the same file (which also contains SmartLink email, radio nicknames, and other operator metadata) was world-readable as a class. AsyncLogWriter already does setPermissions(ReadOwner|WriteOwner) on its log files; AppSettings was the outlier. This fix: 1. Moves MqttPass to QKeychain using the same pattern SmartLinkClient already uses for the refresh token (service "AetherSDR", key "mqtt_password"). Async load on applet open, async save on user click, async delete when the user clears the field. 2. Migrates existing plaintext entries on first launch: if MqttPass is present in AppSettings, populate the UI from it, write it to the keychain, and only remove the plaintext entry if the keychain write succeeded. Keychain failure leaves the plaintext in place for retry — better than losing the user's credentials. 3. Tightens AppSettings file permissions to mode 0600 on every save (live file + .bak backup). Matches the AsyncLogWriter precedent. 4. Falls back to plaintext AppSettings on builds without HAVE_KEYCHAIN, with a qCWarning explaining the security regression. Real builds on Linux/Windows/macOS all link Qt6Keychain so this branch is dead in practice; the guard keeps the build green on stripped-down environments. Verified: - Local Release build (cmake --build … --target AetherSDR exits 0). - Live run with the M3 binary tightened the settings file from -rw-r--r-- to -rw------- on first save. - Live run with empty MQTT password exercised the DeletePasswordJob branch without errors. - HAVE_KEYCHAIN compiled in: nm shows QKeychain::ReadPasswordJob, WritePasswordJob, DeletePasswordJob symbols in the binary. - Migration path not functionally tested (operator had no legacy MqttPass entry); code follows the SmartLink refresh-token pattern which has been live for months. Principle I. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
G6PWY-Chris
pushed a commit
to G6PWY-Chris/AetherSDR
that referenced
this pull request
Jun 22, 2026
…600 (GHSA-mmqp-cm4w-cvpp) (aethersdr#2958) Two coupled findings from the 2026-05-09 audit (M3 + L5): M3 — MQTT broker password was stored plaintext in ~/.config/AetherSDR/ AetherSDR.settings (default umask 0644, world-readable on most Linux systems). Other accounts on the same machine could lift the password and connect to the user's broker — for a station-automation MQTT setup that may control rotators, amplifier PTT lockout, etc., that's real exposure. L5 — AppSettings.cpp's atomic save never tightened the file mode after rename(), so the same file (which also contains SmartLink email, radio nicknames, and other operator metadata) was world-readable as a class. AsyncLogWriter already does setPermissions(ReadOwner|WriteOwner) on its log files; AppSettings was the outlier. This fix: 1. Moves MqttPass to QKeychain using the same pattern SmartLinkClient already uses for the refresh token (service "AetherSDR", key "mqtt_password"). Async load on applet open, async save on user click, async delete when the user clears the field. 2. Migrates existing plaintext entries on first launch: if MqttPass is present in AppSettings, populate the UI from it, write it to the keychain, and only remove the plaintext entry if the keychain write succeeded. Keychain failure leaves the plaintext in place for retry — better than losing the user's credentials. 3. Tightens AppSettings file permissions to mode 0600 on every save (live file + .bak backup). Matches the AsyncLogWriter precedent. 4. Falls back to plaintext AppSettings on builds without HAVE_KEYCHAIN, with a qCWarning explaining the security regression. Real builds on Linux/Windows/macOS all link Qt6Keychain so this branch is dead in practice; the guard keeps the build green on stripped-down environments. Verified: - Local Release build (cmake --build … --target AetherSDR exits 0). - Live run with the M3 binary tightened the settings file from -rw-r--r-- to -rw------- on first save. - Live run with empty MQTT password exercised the DeletePasswordJob branch without errors. - HAVE_KEYCHAIN compiled in: nm shows QKeychain::ReadPasswordJob, WritePasswordJob, DeletePasswordJob symbols in the binary. - Migration path not functionally tested (operator had no legacy MqttPass entry); code follows the SmartLink refresh-token pattern which has been live for months. Principle I. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two coupled findings from the 2026-05-09 audit (M3 + L5):
M3 — MQTT broker password was stored plaintext in ~/.config/AetherSDR/
AetherSDR.settings (default umask 0644, world-readable on most Linux
systems). Other accounts on the same machine could lift the password
and connect to the user's broker — for a station-automation MQTT setup
that may control rotators, amplifier PTT lockout, etc., that's real
exposure.
L5 — AppSettings.cpp's atomic save never tightened the file mode after
rename(), so the same file (which also contains SmartLink email, radio
nicknames, and other operator metadata) was world-readable as a class.
AsyncLogWriter already does setPermissions(ReadOwner|WriteOwner) on its
log files; AppSettings was the outlier.
This fix:
Moves MqttPass to QKeychain using the same pattern SmartLinkClient
already uses for the refresh token (service "AetherSDR", key
"mqtt_password"). Async load on applet open, async save on user
click, async delete when the user clears the field.
Migrates existing plaintext entries on first launch: if MqttPass is
present in AppSettings, populate the UI from it, write it to the
keychain, and only remove the plaintext entry if the keychain write
succeeded. Keychain failure leaves the plaintext in place for
retry — better than losing the user's credentials.
Tightens AppSettings file permissions to mode 0600 on every save
(live file + .bak backup). Matches the AsyncLogWriter precedent.
Falls back to plaintext AppSettings on builds without HAVE_KEYCHAIN,
with a qCWarning explaining the security regression. Real builds
on Linux/Windows/macOS all link Qt6Keychain so this branch is dead
in practice; the guard keeps the build green on stripped-down
environments.
Verified:
-rw-r--r-- to -rw------- on first save.
branch without errors.
WritePasswordJob, DeletePasswordJob symbols in the binary.
MqttPass entry); code follows the SmartLink refresh-token pattern
which has been live for months.
Principle I.
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com