From eb0a5d44598b1ad29431e7574de187340bd3cf34 Mon Sep 17 00:00:00 2001
From: Patrick Devine <patrick@infrahq.com>
Date: Thu, 18 Sep 2025 14:34:34 -0700
Subject: [PATCH] auth: check the permissions on the private key to see if it's
 readable (#12336)

---
 auth/auth.go | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/auth/auth.go b/auth/auth.go
index 61a8626c..b26e2315 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -19,16 +19,28 @@ import (
 const defaultPrivateKey = "id_ed25519"
 
 func keyPath() (string, error) {
-	fileExists := func(fp string) bool {
+	fileIsReadable := func(fp string) bool {
 		info, err := os.Stat(fp)
 		if err != nil {
 			return false
 		}
-		return !info.IsDir()
+
+		// Check that it's a regular file, not a directory or other file type
+		if !info.Mode().IsRegular() {
+			return false
+		}
+
+		// Try to open it to check readability
+		file, err := os.Open(fp)
+		if err != nil {
+			return false
+		}
+		file.Close()
+		return true
 	}
 
 	systemPath := filepath.Join("/usr/share/ollama/.ollama", defaultPrivateKey)
-	if fileExists(systemPath) {
+	if fileIsReadable(systemPath) {
 		return systemPath, nil
 	}