From ad6a48b219ea24cb7069eff10e698c16cf80534d Mon Sep 17 00:00:00 2001
From: MichaIng <micha@dietpi.com>
Date: Wed, 26 Feb 2025 20:59:32 +0100
Subject: [PATCH] Add comment about TLS-related file permissions

Co-authored-by: Dominik <DL6ER@users.noreply.github.com>
Signed-off-by: MichaIng <micha@dietpi.com>
---
 advanced/Templates/pihole-FTL-prestart.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/advanced/Templates/pihole-FTL-prestart.sh b/advanced/Templates/pihole-FTL-prestart.sh
index 07b28bbb..1abafd28 100755
--- a/advanced/Templates/pihole-FTL-prestart.sh
+++ b/advanced/Templates/pihole-FTL-prestart.sh
@@ -16,6 +16,7 @@ chown -R pihole:pihole /etc/pihole /var/log/pihole
 find /etc/pihole/ /var/log/pihole/ -type d -exec chmod 0755 {} +
 # Set all files (except TLS-related ones) to u+rw g+r
 find /etc/pihole/ /var/log/pihole/ -type f ! \( -name '*.pem' -o -name '*.crt' \) -exec chmod 0640 {} +
+# Set TLS-related files to a more restrictive u+rw *only* (they may contain private keys)
 find /etc/pihole/ /var/log/pihole/ -type f -name '*.pem' -o -name '*.crt' -exec chmod 0600 {} +
 
 # Logrotate config file need to be owned by root