From 2b800a5ecef25668333c3d1ed84fdccf8a345d12 Mon Sep 17 00:00:00 2001
From: Leonard Cohnen <lc@edgeless.systems>
Date: Mon, 12 Aug 2024 19:52:24 +0200
Subject: [PATCH] initializer: remove write permission from cert files

---
 initializer/main.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/initializer/main.go b/initializer/main.go
index c9eaf9322..5238f0230 100644
--- a/initializer/main.go
+++ b/initializer/main.go
@@ -108,19 +108,19 @@ func run() (retErr error) {
 	}
 
 	// write files to disk
-	err = os.WriteFile("/contrast/tls-config/mesh-ca.pem", resp.MeshCACert, 0o644)
+	err = os.WriteFile("/contrast/tls-config/mesh-ca.pem", resp.MeshCACert, 0o400)
 	if err != nil {
 		return fmt.Errorf("writing mesh-ca.pem: %w", err)
 	}
-	err = os.WriteFile("/contrast/tls-config/certChain.pem", resp.CertChain, 0o644)
+	err = os.WriteFile("/contrast/tls-config/certChain.pem", resp.CertChain, 0o400)
 	if err != nil {
 		return fmt.Errorf("writing certChain.pem: %w", err)
 	}
-	err = os.WriteFile("/contrast/tls-config/key.pem", pemEncodedPrivKey, 0o600)
+	err = os.WriteFile("/contrast/tls-config/key.pem", pemEncodedPrivKey, 0o400)
 	if err != nil {
 		return fmt.Errorf("writing key.pem: %w", err)
 	}
-	err = os.WriteFile("/contrast/tls-config/coordinator-root-ca.pem", resp.RootCACert, 0o644)
+	err = os.WriteFile("/contrast/tls-config/coordinator-root-ca.pem", resp.RootCACert, 0o400)
 	if err != nil {
 		return fmt.Errorf("writing coordinator-root-ca.pem: %w", err)
 	}