I don’t know why that is. Any idea what you were doing differently that might explain differences?
I didn’t design or write this, but a reason Duplicati-server.sqlite is readable by other users may be:
Duplicati Tray Icon Silently Dies with --no-hosted-server arg #3137
Assuming TrayIcon on Linux is the same, it needs the password to run on password-protected UI.
I suppose one view is that Linux should be given at least the equivalent bug by tightening up here, however a Windows service problem is hard to hit because service is harder. Linux may be easier.
Not a full answer, but you can always open an issue in GitHub for comments and maybe changes.
Solidify SQLite dependencies #4024 may give another way to protect Linux a bit more. Windows is currently using System.Data.SQLite encryption, but it’s just RC4 with a usually-fixed (user-settable) password. Some refer to this as scrambling because it’s not good encryption, but it offers a little bit. Linux could perhaps attempt to follow Windows, at least to that extent. Follow linked issue for more.
Fix not revealing stored passwords from the UI [$100] #2024 got in using the various OS keychains, however volunteer resources apparently aren’t available. Even with high protection, someone could steal credentials at point of use with a debugger, but I agree the current bar to theft is set pretty low.
Duplicati is very good about protecting from untrusted remote. Local attacks are harder to defend…
I’m pretty sure there are other GitHub security issues. Things in support requests get lost over time.