Problem
On Windows, create_protected_file() in util-win32.cpp:175 is an empty stub marked // TODO, so symmetric key files written by Key_file::store_to_file inherit default parent-directory ACLs instead of the owner-only protection applied on Unix (0600 via open(..., O_WRONLY|O_CREAT, 0600) in util-unix.cpp:168-175).
Affected call sites:
commands.cpp:997 — git-crypt init writes .git/git-crypt/keys/default
commands.cpp:1085 — internal key install
commands.cpp:1396 — git-crypt export-key <path> writes user-specified file
commands.cpp:1434, commands.cpp:1476 — additional key writes
Cite
util-win32.cpp:175:
void create_protected_file (const char* path) // TODO
{
}
Unchanged since commit 8c7a90f (2018-02-16, per git blame).
Expected
Key file created with an ACL restricting read to the current user (e.g. CreateFileA + SetSecurityInfo with an owner-only DACL, or CreateFileA with a SECURITY_ATTRIBUTES carrying an explicit DACL).
Actual
Key file inherits parent-directory ACL. On a shared/domain-joined Windows host where Users or Authenticated Users has read on the containing directory, the symmetric key becomes readable by other local principals.
Environment
git-crypt 0.8.0 (NEWS.md, 2025-09-23), Windows build path. C++11, OpenSSL 1.1+ per NEWS.md.
Thanks for maintaining AGWA/git-crypt!
Problem
On Windows,
create_protected_file()inutil-win32.cpp:175is an empty stub marked// TODO, so symmetric key files written byKey_file::store_to_fileinherit default parent-directory ACLs instead of the owner-only protection applied on Unix (0600viaopen(..., O_WRONLY|O_CREAT, 0600)inutil-unix.cpp:168-175).Affected call sites:
commands.cpp:997—git-crypt initwrites.git/git-crypt/keys/defaultcommands.cpp:1085— internal key installcommands.cpp:1396—git-crypt export-key <path>writes user-specified filecommands.cpp:1434,commands.cpp:1476— additional key writesCite
util-win32.cpp:175:Unchanged since commit
8c7a90f(2018-02-16, pergit blame).Expected
Key file created with an ACL restricting read to the current user (e.g.
CreateFileA+SetSecurityInfowith an owner-only DACL, orCreateFileAwith aSECURITY_ATTRIBUTEScarrying an explicit DACL).Actual
Key file inherits parent-directory ACL. On a shared/domain-joined Windows host where
UsersorAuthenticated Usershas read on the containing directory, the symmetric key becomes readable by other local principals.Environment
git-crypt 0.8.0 (NEWS.md, 2025-09-23), Windows build path. C++11, OpenSSL 1.1+ per
NEWS.md.Thanks for maintaining AGWA/git-crypt!