From a6fc27141c70648654bc85d48aee06b1252f0c8d Mon Sep 17 00:00:00 2001
From: Michael Patterson <918859+mcpattrsn@users.noreply.github.com>
Date: Fri, 4 Jul 2025 02:02:33 -0500
Subject: [PATCH] File System Premissions

All private key and custom certificate files are now written with 0600 permissions. Ensuring consistency with sensitive information.
---
 backend/internal/certificate.js | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
index f2e845a24..e80717e51 100644
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@@ -536,27 +536,31 @@ const internalCertificate = {
 
 			try {
 				if (!fs.existsSync(dir)) {
-					fs.mkdirSync(dir);
+					fs.mkdirSync(dir, { mode: 0o700 });
 				}
 			} catch (err) {
 				reject(err);
 				return;
 			}
 
-			fs.writeFile(dir + '/fullchain.pem', certData, function (err) {
+			const fullchainPath = dir + '/fullchain.pem';
+			fs.writeFile(fullchainPath, certData, { mode: 0o600 }, function (err) {
 				if (err) {
 					reject(err);
 				} else {
+					try { fs.chmodSync(fullchainPath, 0o600); } catch (e) { /* ignore errors */ }
 					resolve();
 				}
 			});
 		})
 			.then(() => {
 				return new Promise((resolve, reject) => {
-					fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) {
+					const privkeyPath = dir + '/privkey.pem';
+					fs.writeFile(privkeyPath, certificate.meta.certificate_key, { mode: 0o600 }, function (err) {
 						if (err) {
 							reject(err);
 						} else {
+							try { fs.chmodSync(privkeyPath, 0o600); } catch (e) { /* ignore errors */ }
 							resolve();
 						}
 					});
@@ -683,6 +687,7 @@ const internalCertificate = {
 	checkPrivateKey: (private_key) => {
 		return tempWrite(private_key, '/tmp')
 			.then((filepath) => {
+				try { fs.chmodSync(filepath, 0o600); } catch (e) { /* ignore errors */ }
 				return new Promise((resolve, reject) => {
 					const failTimeout = setTimeout(() => {
 						reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.'));
@@ -716,6 +721,7 @@ const internalCertificate = {
 	getCertificateInfo: (certificate, throw_expired) => {
 		return tempWrite(certificate, '/tmp')
 			.then((filepath) => {
+				try { fs.chmodSync(filepath, 0o600); } catch (e) { /* ignore errors */ }
 				return internalCertificate.getCertificateInfoFromFile(filepath, throw_expired)
 					.then((certData) => {
 						fs.unlinkSync(filepath);