From 4904082fee37478c1978f883047b9cfeca8907c6 Mon Sep 17 00:00:00 2001 From: Mehdi Sabraoui Date: Wed, 24 Jun 2026 18:59:52 -0400 Subject: [PATCH] fix: restrict decrypt output file permissions to 0600 Cure53 audit finding TUR-02-002: the writeFile() helper used by the decrypt command created output files with 0644 permissions, making decrypted plaintext (private keys, mnemonics) readable by other users on the system. Change the permission mode from 0644 to 0600 (owner read/write only) so that sensitive output files are not world- or group-readable. --- src/cmd/turnkey/pkg/root.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd/turnkey/pkg/root.go b/src/cmd/turnkey/pkg/root.go index 6dac489..e69a12d 100644 --- a/src/cmd/turnkey/pkg/root.go +++ b/src/cmd/turnkey/pkg/root.go @@ -223,7 +223,7 @@ func readFile(path string) (string, error) { // Writes the given content to a file at the specified path. func writeFile(content string, path string) error { - err := os.WriteFile(path, []byte(content), 0644) + err := os.WriteFile(path, []byte(content), 0600) if err != nil { return eris.Wrap(err, "error writing file") }