## Holocron SQLite Database Directory Created with World-Readable Permissions (0755)
A security vulnerability in the Holocron application's SQLite storage layer creates its database directory with overly permissive, world-readable permissions. The flaw, coded in the `New()` function within `internal/store/sqlite/sqlite.go`, explicitly calls for the directory to be created with `0755` permissions. This setting allows any other user on a multi-user system to list the contents of the `~/.holocron/` directory, exposing the names of the database and configuration files.

The risk is not merely theoretical. While a user's restrictive default `umask` might currently mitigate the issue, the code's explicit request for `0755` means the vulnerability will be fully realized on systems with a common, more permissive `umask` setting like `0022`. In such an environment, the directory is created as world-readable, enabling local reconnaissance. This could be a precursor to further data access if the SQLite database file itself inherits permissive permissions.

This file permission weakness represents a clear medium-severity exposure. It undermines the principle of least privilege for local data storage, potentially leaking metadata about a user's Holocron activity. The fix requires changing the permission argument in the `os.MkdirAll` call from `0o755` to the secure, user-only `0o700` to ensure the directory is never accessible to other local users.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, sqlite, golang, file-permissions
- **Credibility**: unverified
- **Published**: 2026-03-28 03:26:53
- **ID**: 38702
- **URL**: https://whisperx.ai/en/intel/38702