From 4cc9027ba0532a30c10ef6ed3ebef2115a7b4d25 Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Tue, 17 Feb 2026 16:41:56 -0700
Subject: [PATCH] Tighten kinit file permissions

The Kerberos kinit client for database access temporarily writes
a certificate (and its key and corresponding CA) to a temporary
directory with world-reabable (and writable) permissions.

The permissions on the parent directory are correctly restricted to
the current user only, so there is no exploit possible, this change
just adds defense in depth by restricting the file permissions as well.
---
 lib/srv/db/common/kerberos/kinit/kinit.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/srv/db/common/kerberos/kinit/kinit.go b/lib/srv/db/common/kerberos/kinit/kinit.go
index 21508054a0d1b..90d2a8811549b 100644
--- a/lib/srv/db/common/kerberos/kinit/kinit.go
+++ b/lib/srv/db/common/kerberos/kinit/kinit.go
@@ -222,17 +222,17 @@ func (k *kinitProvider) CreateClient(ctx context.Context, username string) (*cli
 		return nil, trace.Wrap(err)
 	}
 
-	err = os.WriteFile(certPath, certResult.certPEM, 0644)
+	err = os.WriteFile(certPath, certResult.certPEM, 0600)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	err = os.WriteFile(keyPath, certResult.keyPEM, 0644)
+	err = os.WriteFile(keyPath, certResult.keyPEM, 0600)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	err = os.WriteFile(userCAPath, k.buildAnchorsFileContents(certResult.caCert), 0644)
+	err = os.WriteFile(userCAPath, k.buildAnchorsFileContents(certResult.caCert), 0600)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}