From ac74e2376987aeb1f02e7c8225d5461be4ea4c2e Mon Sep 17 00:00:00 2001
From: Mark Rushakoff <mark.rushakoff@gmail.com>
Date: Fri, 3 Mar 2023 11:25:22 -0500
Subject: [PATCH] fix(crypto/keyring): disallow non-owner reads of keyhash
 (#15258)

---
 CHANGELOG.md              | 1 +
 crypto/keyring/keyring.go | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f6076ea4f6..3f15534d1d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -154,6 +154,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * [#14995](https://github.com/cosmos/cosmos-sdk/pull/14995) Allow unknown fields in `ParseTypedEvent`.
 * (store) [#14931](https://github.com/cosmos/cosmos-sdk/pull/14931) Exclude in-memory KVStores, i.e. `StoreTypeMemory`, from CommitInfo commitments.
 * (types/coin) [#14739](https://github.com/cosmos/cosmos-sdk/pull/14739) Deprecate the method `Coin.IsEqual` in favour of  `Coin.Equal`. The difference between the two methods is that the first one results in a panic when denoms are not equal. This panic lead to unexpected behavior
+* (x/crypto) [#15258](https://github.com/cosmos/cosmos-sdk/pull/15258) Write keyhash file with permissions 0600 instead of 0555.
 
 ### Deprecated
 
diff --git a/crypto/keyring/keyring.go b/crypto/keyring/keyring.go
index a1e09ae4c9..8610cbf147 100644
--- a/crypto/keyring/keyring.go
+++ b/crypto/keyring/keyring.go
@@ -757,7 +757,7 @@ func newRealPrompt(dir string, buf io.Reader) func(string) (string, error) {
 				continue
 			}
 
-			if err := os.WriteFile(dir+"/keyhash", passwordHash, 0o555); err != nil {
+			if err := os.WriteFile(keyhashFilePath, passwordHash, 0o600); err != nil {
 				return "", err
 			}