From ad753a68f95d7f565e96e0b6c3d76aafbbba15ef Mon Sep 17 00:00:00 2001
From: Matt Lord <mattalord@gmail.com>
Date: Wed, 29 Jan 2025 20:18:45 -0500
Subject: [PATCH] Add comment

Signed-off-by: Matt Lord <mattalord@gmail.com>
---
 go/test/endtoend/cluster/vttablet_process.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/go/test/endtoend/cluster/vttablet_process.go b/go/test/endtoend/cluster/vttablet_process.go
index e51f4a827d5..225378059be 100644
--- a/go/test/endtoend/cluster/vttablet_process.go
+++ b/go/test/endtoend/cluster/vttablet_process.go
@@ -723,6 +723,12 @@ func (vttablet *VttabletProcess) ConfirmDataDirHasNoGlobalPerms(t *testing.T) {
 		return
 	}
 
+	// These are intentionally created with the world/other read bit set by mysqld itself
+	// during the --initialize[-insecure] step.
+	// See: https://dev.mysql.com/doc/mysql-security-excerpt/en/creating-ssl-rsa-files-using-mysql.html
+	// "On Unix and Unix-like systems, the file access mode is 644 for certificate files
+	// (that is, world readable) and 600 for key files (that is, accessible only by the
+	// account that runs the server)."
 	var allowedFiles = []string{
 		path.Join("data", "ca.pem"),
 		path.Join("data", "client-cert.pem"),