diff --git a/bz2144531-fence_virtd-warn-files-not-mode-600.patch b/bz2144531-fence_virtd-warn-files-not-mode-600.patch
new file mode 100644
index 0000000..5d72acb
--- /dev/null
+++ b/bz2144531-fence_virtd-warn-files-not-mode-600.patch
@@ -0,0 +1,114 @@
+From 3b311a1b069cec59f3d47242282f5d9c67a82e06 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 21 Nov 2022 12:33:22 +0100
+Subject: [PATCH] fence_virtd: make fence_virtd.conf file mode 600 and fail if
+ fence_virtd.conf or key file are not mode 600
+
+---
+ agents/virt/config/Makefile.am     |  3 +++
+ agents/virt/include/simpleconfig.h |  2 ++
+ agents/virt/server/config.c        | 26 ++++++++++++++++++++++++++
+ agents/virt/server/main.c          | 16 ++++++++++++++++
+ 4 files changed, 47 insertions(+)
+
+diff --git a/agents/virt/config/Makefile.am b/agents/virt/config/Makefile.am
+index 86d8df415..19d974278 100644
+--- a/agents/virt/config/Makefile.am
++++ b/agents/virt/config/Makefile.am
+@@ -37,5 +37,8 @@ y.tab.c: config.y
+ config.c: y.tab.c config.l
+ 	$(LEX) -oconfig.c $(srcdir)/config.l
+ 
++install-exec-hook:
++	chmod 600 $(DESTDIR)$(sysconfdir)/fence_virt.conf
++
+ clean-local:
+ 	rm -f config.tab.c config.tab.h config.c y.tab.c y.tab.h
+diff --git a/agents/virt/include/simpleconfig.h b/agents/virt/include/simpleconfig.h
+index 83d54377a..6aba85f02 100644
+--- a/agents/virt/include/simpleconfig.h
++++ b/agents/virt/include/simpleconfig.h
+@@ -49,6 +49,8 @@ config_object_t *sc_init(void);
+ /* Frees a previously-allocated copy of our simple config object */
+ void sc_release(config_object_t *c);
+ 
++int check_file_permissions(const char *fname);
++
+ int do_configure(config_object_t *config, const char *filename);
+ 
+ #endif
+diff -uNr a/agents/virt/server/config.c b/agents/virt/server/config.c
+--- a/agents/virt/server/config.c	2021-07-08 13:09:05.000000000 +0200
++++ b/agents/virt/server/config.c	2022-11-22 10:59:09.547919852 +0100
+@@ -11,6 +11,7 @@
+ #include <fcntl.h>
+ #include <net/if.h>
+ #include <arpa/inet.h>
++#include <errno.h>
+ 
+ #include "simpleconfig.h"
+ #include "static_map.h"
+@@ -595,6 +596,31 @@ listener_configure(config_object_t *config)
+ }
+ 
+ 
++int
++check_file_permissions(const char *fname)
++{
++	struct stat st;
++	mode_t file_perms = 0600;
++	int ret;
++
++	ret = stat(fname, &st);
++	if (ret != 0) {
++		printf("stat failed on file '%s': %s\n",
++			 fname, strerror(errno));
++		return 1;
++	}
++
++	if ((st.st_mode & 0777) != file_perms) {
++		printf("WARNING: invalid permissions on file "
++			 "'%s': has 0%o should be 0%o\n", fname,
++			 (unsigned int)(st.st_mode & 0777),
++			 (unsigned int)file_perms);
++		return 1;
++	}
++
++	return 0;
++}
++
+ int
+ do_configure(config_object_t *config, const char *config_file)
+ {
+diff -uNr a/agents/virt/server/main.c b/agents/virt/server/main.c
+--- a/agents/virt/server/main.c	2021-07-08 13:09:05.000000000 +0200
++++ b/agents/virt/server/main.c	2022-11-22 10:58:05.894530187 +0100
+@@ -14,7 +14,9 @@
+ /* Local includes */
+ #include "simpleconfig.h"
+ #include "static_map.h"
++#include "xvm.h"
+ #include "server_plugin.h"
++#include "simple_auth.h"
+ #include "debug.h"
+ 
+ /* configure.c */
+@@ -203,6 +205,18 @@
+ 		snprintf(pid_file, PATH_MAX, "/var/run/%s.pid", basename(argv[0]));
+ 	}
+ 
++	check_file_permissions(config_file);
++
++	sprintf(val, "listeners/%s/@key_file", listener_name);
++	if (sc_get(config, val,
++		   val, sizeof(val)-1) == 0) {
++		dbg_printf(1, "Got %s for key_file\n", val);
++	} else {
++		snprintf(val, sizeof(val), "%s", DEFAULT_KEY_FILE);
++	}
++
++	check_file_permissions(val);
++
+ 	openlog(basename(argv[0]), LOG_NDELAY | LOG_PID, LOG_DAEMON);
+ 
+ 	daemon_init(basename(argv[0]), pid_file, foreground);
diff --git a/fence-agents.spec b/fence-agents.spec
index 9be3254..bc1a2ce 100644
--- a/fence-agents.spec
+++ b/fence-agents.spec
@@ -60,7 +60,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 38%{?alphatag:.%{alphatag}}%{?dist}
+Release: 39%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -226,6 +226,7 @@ Patch31: bz2132008-fence_virt-add-note-reboot-action.patch
 Patch32: bz2134015-fence_lpar-only-output-additional-info-on-debug.patch
 Patch33: bz2136191-fence_ibm_powervs-improve-defaults.patch
 Patch34: bz2138823-fence_virtd-update-manpage.patch
+Patch35: bz2144531-fence_virtd-warn-files-not-mode-600.patch
 
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@@ -371,6 +372,7 @@ BuildRequires: %{systemd_units}
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1
 
 # prevent compilation of something that won't get used anyway
 sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@@ -1437,6 +1439,11 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
+* Tue Nov 22 2022 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-39
+- fence_virtd: warn if config or key file(s) are not mode 600
+
+  Resolves: rhbz#bz2144531
+
 * Fri Nov 11 2022 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-38
 - fence_vmware_soap: set timeout, which should help cleanup tmp dirs
   Resolves: rhbz#2122944