Refuse to use a world-readable TLS key.

2023-02-07 19:23:35 +01:00 · 2023-02-07 19:23:35 +01:00 · 16bf8e0534
commit 16bf8e0534
parent c0d0c0991c
1 changed files with 10 additions and 0 deletions
--- a/main.go
+++ b/main.go
@ -64,6 +64,16 @@ func main() {
 	}

 	// Read TLS files, create TLS config
+	// Check key file permissions first
+	info, err := os.Stat(config.KeyPath)
+	if err != nil {
+		errorLog.Println("Error opening TLS key file: " + err.Error())
+		log.Fatal(err)
+	}
+	if uint64(info.Mode().Perm())&0444 == 0444 {
+		errorLog.Println("Refusing to use world-readable TLS key file " + config.KeyPath)
+		os.Exit(0)
+	}
 	cert, err := tls.LoadX509KeyPair(config.CertPath, config.KeyPath)
 	if err != nil {
 		errorLog.Println("Error loading TLS keypair: " + err.Error())