Restrict TLS private key file permissions

benthecarman · claude · benthecarman · commit f08c7afcddb1 · 2026-04-01T13:23:14.000-05:00
The generated TLS private key was written with default
permissions (typically 0644), making it world-readable.
Set permissions to 0400 (owner-read-only) after writing,
matching the existing API key file handling.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/ldk-server/src/util/tls.rs b/ldk-server/src/util/tls.rs
@@ -9,6 +9,7 @@
 
 use std::fs;
 use std::net::IpAddr;
+use std::os::unix::fs::PermissionsExt;
 
 use base64::Engine;
 use ring::rand::SystemRandom;
@@ -134,6 +135,8 @@ fn generate_self_signed_cert(
 
 	fs::write(key_path, &key_pem)
 		.map_err(|e| format!("Failed to write TLS key to '{key_path}': {e}"))?;
+	fs::set_permissions(key_path, fs::Permissions::from_mode(0o400))
+		.map_err(|e| format!("Failed to set TLS key permissions for '{key_path}': {e}"))?;
 	fs::write(cert_path, &cert_pem)
 		.map_err(|e| format!("Failed to write TLS certificate to '{cert_path}': {e}"))?;
 
