From 60b3f77e29871f550e9d29b0b4bb56f71dbfa216 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Z=C3=BCrcher?= <zuercher@mst.local>
Date: Wed, 28 May 2025 22:03:29 +0200
Subject: [PATCH] change user write so cert can be created without root

---
 cert/cert.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/cert/cert.go b/cert/cert.go
index e94b900..92dd483 100644
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -63,7 +63,7 @@ func (c *Cert) GenerateSelfSignedCert() error {
 	}
 
 	if _, err := os.Stat(path.Dir(c.CertFile)); os.IsNotExist(err) {
-		os.MkdirAll(path.Dir(c.CertFile), 0666)
+		os.MkdirAll(path.Dir(c.CertFile), 0700)
 	}
 
 	certOut, err := os.Create(c.CertFile)
@@ -73,8 +73,13 @@ func (c *Cert) GenerateSelfSignedCert() error {
 	defer certOut.Close()
 	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 
+	// Set permission to 0600 (read/write by owner only)
+	if err := os.Chmod(c.CertFile, 0600); err != nil {
+		return err
+	}
+
 	if _, err := os.Stat(path.Dir(c.KeyFile)); os.IsNotExist(err) {
-		os.MkdirAll(path.Dir(c.KeyFile), 0666)
+		os.MkdirAll(path.Dir(c.KeyFile), 0700)
 	}
 
 	keyOut, err := os.Create(c.KeyFile)
@@ -85,5 +90,10 @@ func (c *Cert) GenerateSelfSignedCert() error {
 
 	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
 
+	// Set permission to 0600 (read/write by owner only)
+	if err := os.Chmod(c.KeyFile, 0600); err != nil {
+		return err
+	}
+
 	return nil
 }