From 3189547fd9b9c18449bf543964d87ee51174245f Mon Sep 17 00:00:00 2001 From: benthecarman Date: Wed, 1 Apr 2026 13:23:08 -0500 Subject: [PATCH] Restrict TLS private key file permissions The generated TLS private key was written with default permissions (typically 0644), making it world-readable. Set permissions to 0400 (owner-read-only) after writing, matching the existing API key file handling. Co-Authored-By: Claude Opus 4.6 (1M context) --- ldk-server/src/util/tls.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ldk-server/src/util/tls.rs b/ldk-server/src/util/tls.rs index aae5e94a..99f881b5 100644 --- a/ldk-server/src/util/tls.rs +++ b/ldk-server/src/util/tls.rs @@ -9,6 +9,7 @@ use std::fs; use std::net::IpAddr; +use std::os::unix::fs::PermissionsExt; use base64::Engine; use ring::rand::SystemRandom; @@ -134,6 +135,8 @@ fn generate_self_signed_cert( fs::write(key_path, &key_pem) .map_err(|e| format!("Failed to write TLS key to '{key_path}': {e}"))?; + fs::set_permissions(key_path, fs::Permissions::from_mode(0o400)) + .map_err(|e| format!("Failed to set TLS key permissions for '{key_path}': {e}"))?; fs::write(cert_path, &cert_pem) .map_err(|e| format!("Failed to write TLS certificate to '{cert_path}': {e}"))?;