jwt permissions

2026-04-11 09:37:37 +03:00 · 2025-12-07 16:40:23 -06:00 · 2025-12-07 16:40:23 -06:00 · d3e038bfb3
commit d3e038bfb3
parent 28b0ad782a
1 changed files with 4 additions and 1 deletions
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@ -8,6 +8,7 @@ import logging
 import os
 import re
 import secrets
+import stat
 import time
 from datetime import datetime
 from pathlib import Path
@ -311,7 +312,9 @@ def get_jwt_secret() -> str:
            )
            jwt_secret = secrets.token_hex(64)
            try:
-                with open(jwt_secret_file, "w") as f:
+                # Use os.open to create file with restrictive permissions (0o600: read/write for owner only)
+                fd = os.open(jwt_secret_file, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o600)
+                with os.fdopen(fd, "w") as f:
                    f.write(str(jwt_secret))
            except Exception:
                logger.warning(