From 0d0b03e7d3f3082540a0dbc7ec05de835b92563d Mon Sep 17 00:00:00 2001
From: Christian Krause <chkr@plauener.de>
Date: Tue, 2 Jun 2026 22:28:51 +0200
Subject: [PATCH] libnm: use correct directory permissions in
 nm_utils_copy_cert_as_user

This patch fixes https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/work_items/1957.

At the moment, libnm creates the temporary certificate directory
with permission 0600.

Some NM plugins drop most of their capabilities (including CAP_DAC_OVERRIDE)
on startup and so, even when running as root, they can't create files
in that directory (since the execute permission is missing).

This patch sets the permission to 0700 to fix the problem.

Fixes: 1a52bbe7c9dc ('libnm: add function to copy a certificate or key as user')
---
 src/libnm-core-impl/nm-utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libnm-core-impl/nm-utils.c b/src/libnm-core-impl/nm-utils.c
index ad7eea438b..5086270803 100644
--- a/src/libnm-core-impl/nm-utils.c
+++ b/src/libnm-core-impl/nm-utils.c
@@ -6506,7 +6506,7 @@ nm_utils_copy_cert_as_user(const char *filename, const char *user, GError **erro
     nm_str_buf_destroy(&info.output_buffer);
     nm_str_buf_destroy(&info.error_buffer);
 
-    mkdir(RUN_CERT_DIR, 0600);
+    mkdir(RUN_CERT_DIR, 0700);
     fd = mkstemp(dst_path);
     if (fd < 0) {
         g_set_error_literal(error,