From d3e038bfb33ab77862113ca9bb139a7e67df8d5d Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Sun, 7 Dec 2025 16:40:23 -0600
Subject: [PATCH] jwt permissions

---
 frigate/api/auth.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index 9d921ab6a..dd35219eb 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -8,6 +8,7 @@ import logging
 import os
 import re
 import secrets
+import stat
 import time
 from datetime import datetime
 from pathlib import Path
@@ -311,7 +312,9 @@ def get_jwt_secret() -> str:
             )
             jwt_secret = secrets.token_hex(64)
             try:
-                with open(jwt_secret_file, "w") as f:
+                # Use os.open to create file with restrictive permissions (0o600: read/write for owner only)
+                fd = os.open(jwt_secret_file, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o600)
+                with os.fdopen(fd, "w") as f:
                     f.write(str(jwt_secret))
             except Exception:
                 logger.warning(