Skip to content

Windows: create_protected_file is a no-op stub, key files created without ACL restriction #335

Description

@chirag127

Problem

On Windows, create_protected_file() in util-win32.cpp:175 is an empty stub marked // TODO, so symmetric key files written by Key_file::store_to_file inherit default parent-directory ACLs instead of the owner-only protection applied on Unix (0600 via open(..., O_WRONLY|O_CREAT, 0600) in util-unix.cpp:168-175).

Affected call sites:

  • commands.cpp:997git-crypt init writes .git/git-crypt/keys/default
  • commands.cpp:1085 — internal key install
  • commands.cpp:1396git-crypt export-key <path> writes user-specified file
  • commands.cpp:1434, commands.cpp:1476 — additional key writes

Cite

util-win32.cpp:175:

void create_protected_file (const char* path) // TODO
{
}

Unchanged since commit 8c7a90f (2018-02-16, per git blame).

Expected

Key file created with an ACL restricting read to the current user (e.g. CreateFileA + SetSecurityInfo with an owner-only DACL, or CreateFileA with a SECURITY_ATTRIBUTES carrying an explicit DACL).

Actual

Key file inherits parent-directory ACL. On a shared/domain-joined Windows host where Users or Authenticated Users has read on the containing directory, the symmetric key becomes readable by other local principals.

Environment

git-crypt 0.8.0 (NEWS.md, 2025-09-23), Windows build path. C++11, OpenSSL 1.1+ per NEWS.md.

Thanks for maintaining AGWA/git-crypt!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions