From b32fee24c8ab141e979476d03ed0a8295347573c Mon Sep 17 00:00:00 2001
From: David Zhao <david@davidzhao.com>
Date: Sun, 27 Dec 2020 23:11:28 -0800
Subject: [PATCH] require 0600 on keyfile for security

---
 cmd/server/main.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 90c8e5982..6ae6b6389 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -106,6 +106,11 @@ func startServer(c *cli.Context) error {
 func createKeyProvider(keyFile, keys string) (auth.KeyProvider, error) {
 	// prefer keyfile if set
 	if keyFile != "" {
+		if st, err := os.Stat(keyFile); err != nil {
+			return nil, err
+		} else if st.Mode().Perm() != 0600 {
+			return nil, fmt.Errorf("key file must have permission set to 600")
+		}
 		f, err := os.Open(keyFile)
 		if err != nil {
 			return nil, err